AWS IAM roles are case-sensitive



  • The lookup tools are case-insensitive
  • Assuming a role is case-sensitive
  • The console will use your capitalization and lie to you
  • You can get the required capitalization out of the AWS CLI


If you have an AWS role named “fooBar”, and you try to assume the role as “foobar”, it will fail. If you look in cloud trail, you’ll see this error:

 "errorCode": "AccessDenied",
 "errorMessage": "An unknown error occurred",

All of the userIdentity values will check out. You’ll even get a link to the AWS::IAM::Role that it denied access to (the correct role). Pay attention though! That role link looks like this:


And that link takes you somewhere like this:

Which will happily show you “foobar” as the role name. If you change that URL to, you will see the name change in the header to fOObAR. You can even look it up from the AWS command line with any case:

aws --profile test iam get-role --role-name "fOOBar"      

Although this, at least, will tell you the role name with the correct capitalization:

    "Role": {
        "Path": "/",
        "RoleName": "fooBar",
        "RoleId": "ABC123",
        "Arn": "arn:aws:iam::1234567890:role/fooBar",
        "CreateDate": "2023-06-29T14:09:07+00:00",
        "AssumeRolePolicyDocument": {
        "MaxSessionDuration": 3600,
        "RoleLastUsed": {}

About Bion

I'm a software developer at Modo Payments, a mobile payment provider. When I'm not hacking away the office, you I'm usually at home hacking on something else. Or practicing Aikido. Anyway, I just post things here that Google couldn't help me with, so maybe it'll help you in the future. Since you're reading this, I guess it worked :)
This entry was posted in Technology. Bookmark the permalink.

Comments are closed.