Not authorized to perform sts:AssumeRoleWithWebIdentity

Build Environment
1

I’m struggling to figure out what’s the problem with my approaches, as they both hit (almost) the same error for no reason.

First I had the following command:

  build_and_push_ecr_image:
    description: "Build and push an image to an ECR repository for a specific service"
    parameters:
      environment:
        description: "The environment for which to build the images"
        type: enum
        enum: ["qa", "production"]
      ecr_repo_name:
        description: "The ECR repository name"
        type: string
      service_path:
        description: "The subdirectory path in the monorepo"
        type: string
    steps:
      - run:
          name: Set account number and arn
          command: |
            if [ "<< parameters.environment >>" == "qa" ]; then
              echo 'export LOCAL_ACCOUNT_ID="x"' >> "$BASH_ENV"
              echo 'export LOCAL_ROLE_ARN="arn:aws:iam::xxx:role/CircleCiOpenID"' >> "$BASH_ENV"
            else
              echo 'export LOCAL_ACCOUNT_ID="y"' >> "$BASH_ENV"
              echo 'export LOCAL_ROLE_ARN="arn:aws:iam::yyyy:role/CircleCiOpenID"' >> "$BASH_ENV"
            fi
      - aws-ecr/build_and_push_image:
          account_id: $LOCAL_ACCOUNT_ID
          auth:
            - aws-cli/setup:
                role_arn: $LOCAL_ROLE_ARN
          region: eu-west-1
          checkout: false
          repo: << parameters.ecr_repo_name >>
          path: .
          no_output_timeout: 20m
          tag: $CIRCLE_SHA1
          extra_build_args: "--build-arg SERVICE_PATH=<< parameters.service_path >>"
This worked fine for QA but when trying production I got `An error occurred (AccessDenied) when calling the AssumeRoleWithWebIdentity operation: Not authorized to perform sts:AssumeRoleWithWebIdentity` even with subsequent job retries.

Then I quickly changed to this and deployed to production (which works) but now I’m getting the above error for QA?

commands:
  build_and_push_ecr_image:
    description: "Build and push an image to an ECR repository for a specific service"
    parameters:
      environment:
        description: "The environment for which to build the images"
        type: enum
        enum: ["qa", "production"]
      ecr_repo_name:
        description: "The ECR repository name"
        type: string
      service_path:
        description: "The subdirectory path in the monorepo"
        type: string
    steps:
      - when:
          condition:
            equal: ["qa", << parameters.environment >>]
          steps:
            - aws-ecr/build_and_push_image:
                account_id: "x"
                auth:
                  - aws-cli/setup:
                      xxx
                region: eu-west-1
                checkout: false
                repo: << parameters.ecr_repo_name >>
                path: .
                no_output_timeout: 20m
                tag: $CIRCLE_SHA1
                extra_build_args: "--build-arg SERVICE_PATH=<< parameters.service_path >>"
      - when:
          condition:
            equal: ["production", << parameters.environment >>]
          steps:
            - aws-ecr/build_and_push_image:
                account_id: "y"
                auth:
                  - aws-cli/setup:
                      yyy
                region: eu-west-1
                checkout: false
                repo: << parameters.ecr_repo_name >>
                path: .
                no_output_timeout: 20m
                tag: $CIRCLE_SHA1
                extra_build_args: "--build-arg SERVICE_PATH=<< parameters.service_path >>"