I need to make a simple aws SSM automation document that lists out roles where the account trust policy allows access from other accounts. I am getting this error when I try to list out all of the account roles.

I am running the automation with admin permissions. I can do anything. My understanding is that whatever I launch should have my permissions. so I thinks I should be able to list_roles().

does anyone have any suggestion on what I need to add so that my automation will list roles?

 Traceback (most recent call last):
  File "/tmp/73ff3455-af8d-4df7-84cb-fb4a771a2387-2024-06-30-06-17-23/customer_script.py", line 7, in script_handler
    roles = iam.list_roles()
            ^^^^^^^^^^^^^^^^
  File "/var/lang/lib/python3.11/site-packages/botocore/client.py", line 553, in _api_call
    return self._make_api_call(operation_name, kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/var/lang/lib/python3.11/site-packages/botocore/client.py", line 989, in _make_api_call
    http, parsed_response = self._make_request(
                            ^^^^^^^^^^^^^^^^^^^
  File "/var/lang/lib/python3.11/site-packages/botocore/client.py", line 1015, in _make_request
    return self._endpoint.make_request(operation_model, request_dict)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/var/lang/lib/python3.11/site-packages/botocore/endpoint.py", line 119, in make_request
    return self._send_request(request_dict, operation_model)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/var/lang/lib/python3.11/site-packages/botocore/endpoint.py", line 198, in _send_request
    request = self.create_request(request_dict, operation_model)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/var/lang/lib/python3.11/site-packages/botocore/endpoint.py", line 134, in create_request
    self._event_emitter.emit(
  File "/var/lang/lib/python3.11/site-packages/botocore/hooks.py", line 412, in emit
    return self._emitter.emit(aliased_event_name, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/var/lang/lib/python3.11/site-packages/botocore/hooks.py", line 256, in emit
    return self._emit(event_name, kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/var/lang/lib/python3.11/site-packages/botocore/hooks.py", line 239, in _emit
    response = handler(**kwargs)
               ^^^^^^^^^^^^^^^^^
  File "/var/lang/lib/python3.11/site-packages/botocore/signers.py", line 105, in handler
    return self.sign(operation_name, request)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/var/lang/lib/python3.11/site-packages/botocore/signers.py", line 195, in sign
    auth.add_auth(request)
  File "/var/lang/lib/python3.11/site-packages/botocore/auth.py", line 418, in add_auth
    raise NoCredentialsError()
botocore.exceptions.NoCredentialsError: Unable to locate credentials

NoCredentialsError - Unable to locate credentials

Here is my Terraform

resource "aws_ssm_document" "example" {
  name          = "CrossAccountRoles"
  document_type = "Automation"

  content = <<DOC
{
  "schemaVersion": "0.3",
  "description": "Crosss account role report. This automation document will list out all roles that allow cross account access.",
  "mainSteps": [
    {
      "name": "RunScript",
      "action": "aws:executeScript",
      "isEnd": true,
      "onCancel": "Abort",
      "onFailure": "Abort",
      "inputs": {
        "Runtime": "python3.11",
        "Handler": "script_handler",
        "Script": "import boto3nimport jsonndef script_handler(event, context):n    print("context=", context)n    account_id = context.get("global:ACCOUNT_ID")n    iam = boto3.client('iam')n    roles = iam.list_roles()n    print("roles=", roles)n    return {"status": "success"}"
      }
    }
  ]
}
DOC
}