Error: Datadog is not authorized to perform sts:AssumeRole

This error usually indicates an issue with the trust policy associated with the Datadog integration role. Most of the time, this issue is caused by the role delegation process.

Check the following points for the AWS account mentioned in the error:

  1. When creating an IAM role, ensure that you are using the correct IAM role name in the Datadog AWS integration page. Extra spaces or characters in AWS or Datadog causes the role delegation to fail. If you deployed the role using CloudFormation, the default IAM role name is set to DatadogIntegrationRole.

    AWS Create IAM Role Review page with DatadogAWSIntegrationRole entered for Role name, account 464622532012 listed for Trusted entities, and DatadogAWSIntegrationPolicy listed for Policies

  2. Ensure Datadog’s account ID 464622532012 is entered under Another AWS account. Entering any other account ID causes the integration to fail. Also ensure Required MFA is unchecked:

    AWS Create IAM Role page with Another AWS Account selected under type of trusted entity, 464622532012 entered for account ID, and the require MFA button unchecked

  3. Generate a new AWS External ID under Account Details in the Datadog AWS Integration page and click Save:

    Datadog AWS integration page with the AWS Role Name and AWS External ID fields and Generate New ID button

  4. Add the newly generated AWS External ID to your AWS trust policy:

    AWS Trust Policy document with the sts:ExternalId parameter highlighted

Note that the error may persist in the UI for a few hours while the changes propagate.

If you see the STS AssumeRole error limited to one or a few regions:

Datadog is not authorized to perform action sts:AssumeRole Account affected:<account_id> Regions affected: us-east-1, eu-west-1 

The source of the issue could be AWS Service Control Policies.

Service control policies (SCPs) are a type of organization policy that you can use to manage permissions in your organization. SCPs offer central control over the maximum available permissions for all accounts in your organization. SCPs help you to ensure your accounts stay within your organization’s access control guidelines.

To remove the error in the integration page, you can exclude regions in your AWS integration under the General tab, or use the Update an AWS integration API.

Still need help? Contact Datadog support.

Further Reading

Additional helpful documentation, links, and articles: