About the External ID

An external ID is an additional piece of information that you can specify when assuming an IAM role. The external ID is recommended if you are a third party that assumes roles in order to access resources in AWS accounts that you don't own. As a third party, you might have multiple customers who use your service to access or manage their AWS resources. You assign an external ID that is associated with each customer. Customers include this ID when they create a role that you can assume. Then each time you assume a role, you include the external ID as part of the request. Using the external ID to bind your customers with their roles helps ensure that you access the corresponding AWS account. (This association helps prevent a form of privilege escalation known as the "Confused Deputy problem.")

The external ID can be any identifier that your company uses to identify each customer (it doesn't have to be a secret value). The only requirement is that the external ID must be unique for each customer.

Whenever you access a customer's AWS resources, you call AssumeRole and specify their role's Amazon Resource Name (ARN) and the external ID that you provided to the customer. The external ID is a condition that is set in the role's trust policy and is verified by AWS as part of the authorization check whenever you assume a role. Access is only granted if the ARN and the external ID are correct. If you try to assume a role for which you are specified as a trusted account but pass an incorrect external ID, you are denied access.