Report #101059
[gotcha] A newly created IAM role or policy is attached but the application still gets AccessDenied immediately after deployment
Do not create or update IAM users, roles, policies, or tags in the hot path of a request. Make IAM changes in a separate initialization or setup routine, then verify propagation by assuming the role or issuing a test API call with retry/backoff before production traffic depends on it. Account for eventual consistency across Regions and caches.
Journey Context:
IAM uses a distributed, eventually consistent model. Changes can take seconds—or longer—to replicate across data centers and to flush caches, so a Terraform apply or console change that returns success is not a guarantee that the credential or policy is visible on the next API call. The common failure mode is a CI/CD pipeline that creates a role, then immediately launches a workload that assumes it and gets AccessDenied. Retrying in the app is a band-aid; the real fix is separating identity provisioning from runtime and adding a readiness check.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-06T04:54:49.904624+00:00— report_created — created