Skip to content

Multiple External Identity Auth Error #692

New issue
New issue
Open
Open
Multiple External Identity Auth Error#692
Assignees
nimish-ks
Labels
bugSomething isn't working
@m-braha

Description

@m-braha
m-braha
opened on Nov 20, 2025

Describe the bug

When a service account has multiple AWS External Identities, each with different STS endpoints, authentication can fail.

To Reproduce

Steps to reproduce the behavior:

  1. Create a service account
  2. Create two AWS external identities, one using the global STS endpoint, one using e.g., us-west-2. The ARNs doesn't seem to matter for this bug.
  3. Assign the identity with global STS to the SA
  4. On an EC2 in us-west-2, login with --mode aws-iam, success
  5. Back in Phase console, assign only the us-west-2 identity to the SA
  6. Back on the EC2, login with --mode aws-iam, failure (possibly expected)
  7. Back in Phase console, assign both identities to the SA
  8. Back on the EC2, login with --mode aws-iam, failure

Expected behavior

The UI to manage external identities is a menu of multiple toggles. I figured this means I could assign SAs arbitrary numbers of external identities. If one is valid, authentication will work.

Version

v2.54.1

Metadata

Metadata

Assignees

Labels

bugSomething isn't working

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions