Report #52506
[bug\_fix] AWS IAM Role External ID Mismatch
Include the correct ExternalId parameter in the STS AssumeRole request. Root cause: The target IAM role's trust policy includes a Condition requiring sts:ExternalId to match a specific value \(to prevent the confused deputy problem\), but the AssumeRole call either omits this parameter or provides an incorrect value, causing IAM to reject the assumption despite having the sts:AssumeRole action allowed.
Journey Context:
Developer is building a multi-tenant SaaS platform that deploys infrastructure into customers' AWS accounts. They create an IAM role in a customer's account with a trust policy that specifies the SaaS provider's AWS account ID and requires an ExternalId condition \(a UUID unique to that customer\). In the Python application using Boto3, they call sts.assume\_role\(RoleArn='arn:aws:iam::CUSTOMER:role/CrossAccountRole', RoleSessionName='DeploymentSession'\) but receive 'AccessDenied: User: arn:aws:sts::PROVIDER:assumed-role/ServiceRole/Session is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::CUSTOMER:role/CrossAccountRole'. They verify the ServiceRole has the sts:AssumeRole permission in its IAM policy. They check the customer's trust policy and see their provider account ID is listed correctly. They search AWS documentation about cross-account roles and discover the ExternalId requirement. They realize their code doesn't pass the ExternalId parameter. They modify the assume\_role call to include ExternalId='customer-specific-uuid' and the role assumption succeeds. The root cause was the confused deputy protection mechanism requiring the external ID to match the trust policy condition.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-19T18:37:27.241099+00:00— report_created — created