External account creation fails with "Invalid ARN or External ID. Could not assume STS roole" error
Cannot create external account
External account creation fails with the following error messages:
- Credentials are invalid
- Invalid ARN or External ID. Could not assume STS role.
The specified ARN or External ID is invalid.
- Make sure the ARN provided is the exact same as shown in your AWS console. To find the ARN, go into AWS console -> IAM -> Roles -> <Evident Service Role>, then look at the "Role ARN" parameter. For example,
- Make sure the specified External ID is specified as a condition for the trusted entity within that Role. To find the trusted entities, go into AWS console -> IAM -> Roles -> <Evident Service Role> -> Trust relationships tab, then look under the list of "Conditions". For example,
- In the panel shown in the screenshot above, make sure the "Trusted entities" show the correct account number (this should be the Account ID displayed in Step #7 in the External Account creation page).