Which of the following may be causing this problem?
(Choose three.)
The external ID used by the Auditor is missing or incorrect.
The Auditor is using the incorrect password.
The Auditor has not been granted sts:AssumeRole for the role in the destination account.
The Amazon EC2 role used by the Auditor must be set to the destination account role.
The secret key used by the Auditor is missing or incorrect.
The role ARN used by the Auditor is missing or incorrect.
Explanations:
The external ID is a security measure to prevent the “Confused Deputy” problem. If the external ID is missing or incorrect, the Auditor will not be able to assume the IAM role in the destination account.
The Auditor using an incorrect password does not affect the ability to assume an IAM role across accounts. IAM roles are assumed using STS, not traditional user credentials.
If the Auditor has not been granted thests:AssumeRolepermission for the role in the destination account, they will be unable to assume the role necessary for auditing that account.
The Amazon EC2 role used by the Auditor is irrelevant to the role assumption in the destination account. The roles in different accounts are independent of one another.
The use of secret keys pertains to IAM users, not to cross-account role assumptions, which rely on temporary security tokens generated through STS.
If the role ARN used by the Auditor is missing or incorrect, thests:AssumeRoleoperation will fail, preventing access to the necessary IAM role in the destination account.
In my experience, the answer is:
The external ID used by the Auditor is missing or incorrect.