Error: "Unable to perform STS:AssumeRole..." when integrating AWS

Problem: 

When integrating AWS, you run into the following error in Vanta when validating the ARN of the role you've created:

Unable to perform STS:AssumeRole. Please follow the linking instructions to create the vanta-auditor role

 

Solution:

It's likely that the Account ID and External ID required for the role were entered incorrectly, or MFA was enforced on the role. To correct this, navigate to the role you created in AWS IAM, and select Trust relationships:

 

TrustRelationshipsvantaauditor.png

These values should match what is provided by Vanta in the "role creation" step of the AWS linking flow:

AWSrolecreation.png

Also confirm that this trust relationship does not contain the following:

 "Bool": {
"aws:MultiFactorAuthPresent": true
}

If this exists in the trust relationship, remove it from the policy or set it to "false" and try to connect Vanta again.

Updated