What is IAM ExternalId?
ExternalId is a shared secret placed in a cross-account role trust policy condition to prevent the confused-deputy problem when a third party assumes your role.
When you grant a third-party vendor access by letting their AWS account assume a role in your account, naming their account as the principal is not enough. Any of that vendor customers could trick the vendor into assuming your role on their behalf. Requiring a unique ExternalId in the trust policy condition closes that gap.
The vendor stores the ExternalId you assign and includes it on every sts:AssumeRole call. Because the value is unique per customer, it prevents one customer of the vendor from impersonating another. AWS specifically recommends ExternalId for third-party cross-account access.
Example
{
"Effect": "Allow",
"Principal": { "AWS": "arn:aws:iam::VENDOR_ACCOUNT:root" },
"Action": "sts:AssumeRole",
"Condition": { "StringEquals": { "sts:ExternalId": "your-unique-id" } }
}Common mistake
Omitting the ExternalId condition on a third-party cross-account role, or reusing the same value across customers, reopens the confused-deputy problem the condition is meant to solve.
Related terms
Analyze a real policy free
Shieldly's AI-Powered analyzer explains why an IAM policy is risky and returns the fix in seconds. No signup, no AWS credentials. Also ships as CLI, VS Code extension, GitHub Action, and CDK Guard.
Amazon Web Services (AWS) is a trademark of Amazon.com, Inc. Shieldly is not affiliated with, endorsed by, or sponsored by Amazon Web Services.