Cross-account access for an external auditor typically usesSTS AssumeRoleinto a role that exists in each target account. Three common failure points are: (1) therole ARNbeing wrong or missing, (2) the auditor lacking permission to callsts:AssumeRoleon that role, and (3) anexternal IDmismatch when the role trust policy requires it. Theexternal IDis a best practice for third-party access to mitigate the confused-deputy problem; if the trust policy includes an sts:ExternalId condition, the auditor must supply the exact expected value. If it’s absent or incorrect, AssumeRole will be denied.

The auditor must also be authorized on their side (IAM user/role policy) to call sts:AssumeRole (permission), and the destination role’strust policymust trust the auditor principal. If either side is misconfigured, the assume operation fails. Finally, the auditor must reference the correctrole ARNfor each account; using an incorrect ARN (wrong account ID/role name/path) is a frequent reason only “some accounts” fail.

Incorrect password (B) is irrelevant if the auditor is using API/STS federation rather than console password auth, and EC2 instance roles (D) are not required for an external auditor. Missing/incorrect secret key (E) is possible for API auth, but the question centers on cross-account role access issues; the canonical causes are external ID, AssumeRole permission, and role ARN.