External account creation fails with unable to detect the policy and access to services error

External account creation fails with unable to detect the policy and access to services error

Created On 09/26/18 19:13 PM - Last Modified 07/19/22 23:12 PM



External account creation fails with the following error messages:

"We were able to assume role, but are unable to detect the policy and access to services. Please make sure you have given us iam:ListAttachedRolePolicies access, and read access to the services you would like us to check."



Examine the Evident-Service-Role's policy, and make sure the role can perform following actions:

  1. iam:ListRoles
  2. iam:ListRolePolicies (on Evident-Service-Role)
  3. iam:ListAttachedRolePolicies (on Evident-Service-Role)
  4. iam:GetRolePolicy (on all of Evident-Service-Role's inline policies)
  5. iam:GetPolicy (on all of Evident-Service-Role's inline policies)
  6. iam:GetPolicyVersion (on all of Evident-Service-Role's managed policies)

AWS SecurityAudit contains all of the above permissions.  If your Evident-Service-Role has SecurityAudit role attached, then there must be another role or policy with a statement that is explicitly denying one or more permissions listed above.


Modify Evident-Service-Role's policies to allow the actions listed above.  If applicable, remove all roles and policies attached to Evident-Service-Role, except for AWS SecurityAudit role.

  • Print
  • Copy Link
