Report #102470
[gotcha] Created or updated IAM role/policy but AssumeRole or authorization fails immediately
Treat IAM changes as eventually consistent: add retry/backoff after creation, use the regional STS endpoint for the AssumeRole call, and pre-provision roles/policies in CI before the first use.
Journey Context:
IAM is a global service that replicates changes across AWS regions. The Create/Update API returns success before the new policy or role trust relationship is visible to every STS endpoint. The classic failure is a deployment script that creates a role and immediately assumes it, getting AccessDenied. Waiting a fixed 'sleep 10' is brittle; exponential backoff on AssumeRole is robust. Regional STS endpoints often see changes faster than the legacy global endpoint.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-09T04:56:00.450710+00:00— report_created — created