Report #103006
[gotcha] IAM policy or role changes are not immediately effective across all AWS endpoints
Keep IAM changes out of hot code paths. Apply them in a setup or initialization routine, then wait and verify propagation before production workflows depend on the new permissions.
Journey Context:
IAM uses a distributed, cached computing model. After attaching a policy or creating a role, the change must replicate across regions and invalidate caches. CI pipelines and deployments often fail with AccessDenied immediately after a policy update because they assume synchronous application. Polling with backoff helps, but the robust pattern is to separate IAM changes from runtime code and confirm propagation before deployment. This delay is intentional for availability and performance.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-10T04:51:42.797001+00:00— report_created — created