Report #11985
[bug\_fix] botocore.exceptions.ClientError: An error occurred \(AccessDenied\) when calling the AssumeRoleWithWebIdentity operation: Not authorized to perform sts:AssumeRoleWithWebIdentity
Update the IAM Role trust policy to specify the correct audience \(aud\) claim for the OIDC provider. For EKS IRSA, ensure the condition includes "oidc.eks..amazonaws.com/id/:aud": "sts.amazonaws.com" and the subject \(sub\) condition exactly matches "system:serviceaccount::". If the OIDC provider itself is missing from IAM, run \`eksctl utils associate-iam-oidc-provider\` or create it manually. Root cause: The JWT token issued by EKS contains aud \(audience\) and sub \(subject\) claims. The IAM trust policy acts as an authorization gate. If the Condition keys for oidc.eks.region.amazonaws.com/id/XXX:aud or :sub don't match the token claims, STS rejects the AssumeRole call with AccessDenied.
Journey Context:
Developer creates an EKS cluster and annotates a Kubernetes Service Account with an IAM role ARN for IRSA. They apply the configuration and the pod starts, but the application fails to access S3 with credential errors. Checking logs shows AccessDenied on AssumeRoleWithWebIdentity. Developer verifies the IAM role exists and the OIDC provider URL matches the cluster. They examine the IAM role trust policy and realize they copied a condition block that checks for "sts.amazonaws.com" as the audience, but they forgot to include the condition for the subject \(sub\) claim, or they have a typo in the namespace/service account name. They use \`jwt decode\` on the token mounted at /var/run/secrets/eks.amazonaws.com/serviceaccount/token to see the exact sub claim, update the trust policy to match, and the pod successfully assumes the role.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-16T14:48:16.668850+00:00— report_created — created