How to access AWS services from Astronomer deployments using STS assume role?

Each of the deployments come with a workload identity when we create the deployment. I have another iam role in an AWS account that has access to specific secret in secretmanager and to an s3 bucket.
I want the deployment workload identity to do an sts and then access the corresponding AWS resources.

I followed Astronomer’s documentation
Authorize an Astro Deployment to cloud resources using workload identity | Astronomer Documentation . But this doesn’t work. As per the documentation Astronomer deployment workload identity will automatically do as STS, but it doesn’t happen in reality.

Any guidance is appreciated

Hello @sushanth_ca

Could you verify the following:

  1. You created a role with permissions to access the S3 bucket and the AWS Secret Manager
  2. You edited the Trust Relationship of the Role to include the WI of the Deployment to assume the role
  3. You created a connection with the Role you created in Step #1 and it’s associated region
  4. You are using the connection created in Step #3 in your DAG.

Also, could you please share the error you are getting in the Task Log.