On occasions when a Partner admin has configured an AWS account at the Customer tenant rather than at the Partner tenant, the External IDs presented by CloudHealth for use within the IAM Role Trust permission will be different and could cause the IAM role to be rejected if used elsewhere. This occurs because there is a mismatch between the External ID of the AWS account and the External ID configured at the AWS IAM Role.

AWS adjusted the way that security, and specifically External IDs are treated, which has led to an update to how CloudHealth configures accounts in the platform.
How to Use an External ID When Granting Access to Your AWS Resources to a Third Party

CloudHealth automatically generates a unique External ID for each tenant, when an AWS account is configured within that tenant, CloudHealth will automatically assign that tenant's External ID:

• If the AWS account is configured within the Customer tenant, it takes on the External ID of the Customer tenant.
• If the AWS account is configured within the Partner tenant, it takes on the External ID of the Partner tenant.  When that account is assigned to the Customer tenant via Partner Generated Billing (PGB) the Partner tenant's External ID assigned to that AWS Account will be passed down to the Customer tenant.

There will be the ability to sync External IDs between the tenant.  

If both External IDs are required in the IAM Role Trust, then an array can be created to contain both External IDs:

1. Log into the AWS IAM Management Console
2. Under 'Roles' select the role being used for CloudHealth
3. Click on the 'Trust Relationship' tab and select 'Edit trust relationship'.
   Note: The account field under 'Trusted Entities' represents the ID of the secure CloudHealth managed account.
   
4. Within the policy document editor, edit the 'sts:ExternalId' line to include an array containing the External ID required. For example:
   
5. Click 'Update Trust Policy'