Report #100615
[gotcha] AWS IAM policy or role changes are not immediately visible, causing AccessDenied
Make IAM changes in a deployment or initialization phase, not in the request hot path. Verify propagation with sts:GetCallerIdentity or a small test call before production traffic depends on the new role or policy.
Journey Context:
IAM uses a distributed, eventually consistent model: changes are replicated across AWS regions and cached. AWS docs explicitly state changes can take time to propagate. Developers commonly assume IAM is strongly consistent because the API returns success, then the next call fails with AccessDenied. This is especially painful in CI/CD pipelines that create a role and immediately assume it, or in IaC that creates a Lambda and immediately invokes it. Retrying in application code is the wrong fix because it couples identity management to runtime. The right pattern is a separate initialization phase where IAM changes are made and verified before they are needed.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-02T04:48:21.587959+00:00— report_created — created