AWS secrets engine Federated token denied IAM access

hey there,

We are trying to set up a ci/cd pipeline for our terraform repositories that incorporates federated credentials generated by the aws secrets engine in Vault. When doing this, I’ve noticed certain iam actions are denied, even though I’ve explicitly given iam:* on all resources. I’ve tested in the cli using the credentials and confirmed that they work for other actions.

`aws s3 ls` gives a full list of our s3 buckets 

aws iam get-role --role-name redacted-role-name gives this error: An error occurred (InvalidClientTokenId) when calling the GetRole operation: The security token included in the request is invalid

This is the role I created for the operation:

Key                         Value
---                         -----
credential_type             federation_token
default_sts_ttl             0s
iam_groups                  <nil>
iam_tags                    <nil>
max_sts_ttl                 0s
permissions_boundary_arn    n/a
policy_arns                 <nil>
policy_document             {"Version":"2012-10-17","Statement":{"Effect":"Allow","Action":["*"],"Resource":"*"}}
role_arns                   <nil>
user_path                   n/a

The aws user we have creating these credentials (configured within the aws secrets engine) has the AdministratorAccess iam role which gives these permissions:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*" } ] }

Any insights why my federation token might not have iam access would be super appreciated. Could this be a “security feature” within aws itself?