Access Denied while asumeroleWithWebIdentity into AWS

Integrations and Accounts
1

Hello: I’m getting access denied when trying to ssumeRoleWithWebIdentity into AWS
Heres is the OpeIdResource I created and the policy

class AuthStack(Stack):
    def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
from aws_cdk import Stack, aws_iam as iam, CfnOutput
from constructs import Construct
from config import (
    ORGANIZATION_ID,
    CIRCLECI_IDENTITY_PROVIDER,
    CIRCLECI_OPENID_PROVIDER_URL,
    PROJECT_ID,
)


class AuthStack(Stack):
    def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
        super().__init__(scope, construct_id, **kwargs)

        iam.OpenIdConnectProvider(
            self,
            "CircleCi_Provider",
            url=CIRCLECI_OPENID_PROVIDER_URL,
            client_ids=[ORGANIZATION_ID],
        )

        self.role = iam.Role(
            id=construct_id,
            role_name="circleci_webidentity_role",
            scope=self,
            assumed_by=iam.FederatedPrincipal(
                federated=CIRCLECI_IDENTITY_PROVIDER,
                conditions={
                    # "StringLike": {
                    #     f"{CIRCLECI_IDENTITY_PROVIDER}:sub": f"org/{ORGANIZATION_ID}/project/{PROJECT_ID}/user/*",
                    # }
                    "StringEquals": {
                        f"{CIRCLECI_IDENTITY_PROVIDER}:aud": f"{ORGANIZATION_ID}",
                    }
                },
                assume_role_action="sts:AssumeRoleWithWebIdentity",
            ),
            managed_policies=[
                iam.ManagedPolicy.from_aws_managed_policy_name("AdministratorAccess"),
            ],
            description="This role is assumed by CircleCi job  requesting access to AWS Service Provider",
        )
        CfnOutput(self, "role", value=self.role.role_arn)

and then here is how the circle jobs are trying to assume the role

Here is my config.yml

version: 2.1  # the version of the config circleci file
orbs:
  aws-cli: circleci/aws-cli@3.1.4
jobs:
  aws-cli-example:
    docker:
      - image: cimg/python:3.11.0-node
    environment:
      AWS_REGION: "us-east-1"
    working_directory: ~/workspace
    executor: aws-cli/default
    steps:
      - checkout
      - aws-cli/setup:
          aws-region: AWS_REGION
          role-arn: "arn:aws:iam::1234567890:role/circleci_webidentity_role"
      - run:
         name: CDK deployment
         command: |
           chmod +x .circleci/setUp.sh
           source .circleci/setUp.sh
workflows:
  aws-cli:
    jobs:
      - aws-cli-example:
          context:
            - aws-credentials

And here is setUp.sh

REGIONS=("us-east-1" "us-east-2")

python3 -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt
npm install -g aws-cdk
cdk synth
for REGION in "${REGIONS[@]}"
do
  export AWS_REGION=REGION
  cdk bootstrap
  cdk deploy --all --requireapproval never
done

Could someone please help debug and identify the issue