Kind-of.
TLDR;
- The lookup tools are case-insensitive
- Assuming a role is case-sensitive
- The console will use your capitalization and lie to you
- You can get the required capitalization out of the AWS CLI
Details
If you have an AWS role named “fooBar”, and you try to assume the role as “foobar”, it will fail. If you look in cloud trail, you’ll see this error:
"errorCode": "AccessDenied",
"errorMessage": "An unknown error occurred",
All of the userIdentity values will check out. You’ll even get a link to the AWS::IAM::Role that it denied access to (the correct role). Pay attention though! That role link looks like this:
arn:aws:iam::1234567890:role/foobar
And that link takes you somewhere like this:
https://us-east-1.console.aws.amazon.com/iamv2/home#/roles/details/foobar?section=permissions
Which will happily show you “foobar” as the role name. If you change that URL to https://us-east-1.console.aws.amazon.com/iamv2/home#/roles/details/fOObAR?section=permissions
, you will see the name change in the header to fOObAR
. You can even look it up from the AWS command line with any case:
aws --profile test iam get-role --role-name "fOOBar"
Although this, at least, will tell you the role name with the correct capitalization:
{
"Role": {
"Path": "/",
"RoleName": "fooBar",
"RoleId": "ABC123",
"Arn": "arn:aws:iam::1234567890:role/fooBar",
"CreateDate": "2023-06-29T14:09:07+00:00",
"AssumeRolePolicyDocument": {
...
},
"MaxSessionDuration": 3600,
"RoleLastUsed": {}
}
}