Report #102008
[gotcha] IAM role or policy changes are not immediately visible due to eventual consistency
Create or update IAM roles/policies in a separate setup/init step, then verify propagation before the application assumes the permissions exist; do not put IAM mutations on the hot path of high-availability code.
Journey Context:
IAM is a global service replicated across regions and uses caching for performance. A CI/CD pipeline that creates a role and immediately tries to assume it, or an app that updates a policy and then expects the new access on the next request, often gets intermittent AccessDenied errors. The failure is transient but non-deterministic. Retrying only the permission check is not enough if the role itself has not propagated, so the robust pattern is pre-provisioning plus a readiness check, or using already-provisioned roles and avoiding on-the-fly IAM changes.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-08T04:48:52.401947+00:00— report_created — created