Welcome to the new Evident.io Support Portal. Our goal was to make it easier to navigate, so please let us know if you have any questions or concerns. We have migrated the ticket content from the old portal, but you may need to re-register to log in and view your tickets.

External account creation fails with "Invalid ARN or External ID. Could not assume STS roole" error

Problem

Cannot create external account

Symptoms

External account creation fails with the following error messages:

  1. Credentials are invalid
  2. Invalid ARN or External ID. Could not assume STS role.

Cause

The specified ARN or External ID is invalid.

Resolution 

  1. Make sure the ARN provided is the exact same as shown in your AWS console.  To find the ARN, go into AWS console -> IAM -> Roles -> <Evident Service Role>, then look at the "Role ARN" parameter.  For example, 
  2. Make sure the specified External ID is specified as a condition for the trusted entity within that Role.  To find the trusted entities, go into AWS console -> IAM -> Roles -> <Evident Service Role> -> Trust relationships tab, then look under the list of "Conditions".  For example,
  3. In the panel shown in the screenshot above, make sure the "Trusted entities" show the correct account number (this should be the Account ID displayed in Step #7 in the External Account creation page).