Report #100152
[gotcha] IAM policy or role change is not enforced immediately after a successful API call
Wait and retry with exponential backoff after IAM changes; keep IAM setup out of hot request paths; verify propagation \(for example, with sts:GetCallerIdentity or a test call\) before relying on the new permissions.
Journey Context:
AWS IAM uses eventual consistency across globally distributed endpoints and caches. The API returns success before every enforcement point has the new state, so permissions can lag by seconds. IaC pipelines and deployment scripts often fail with AccessDenied or InvalidParameterValue because they assume synchronous consistency. The robust pattern is retry/backoff, separate IAM provisioning from runtime, and prefer temporary credentials over long-term keys.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-01T04:44:54.060732+00:00— report_created — created