Can someone ELI5 for setting up a dynamic provider in AWS for TFC?

I’m trying to go off of this guide to hook up my AWS account to TFC. I’m new to TFC, and I’m a little confused how to set this up. I think I have most of this set up correctly, but I’m not making the connection on how the tfc_aws_dynamic_credentials variable is supposed to be used. Is this supposed to work as-is, or does the doc not mention a tfvars entry that points shared_config_file somewhere on my local machine or in the nebulous file structure in TFC? Can someone line this up for me that is a little less recursive? My brain is turning to mush and this is making less sense the more I read through it.

EDIT: A little more info-
I have gone through the setup guide and I’m getting the following error trying to run a plan from my local machine:


│ Error: configuring Terraform AWS Provider: no valid credential sources for Terraform AWS Provider found.
│ 
│ Please see https://registry.terraform.io/providers/hashicorp/aws
│ for more information about providing credentials.
│ 
│ AWS Error: failed to refresh cached credentials, failed to retrieve credentials, operation error STS: AssumeRoleWithWebIdentity, https response error StatusCode: 403, RequestID: <redacted> api error AccessDenied: Not authorized to perform sts:AssumeRoleWithWebIdentity

My main and var files are set up verbatim to the guide.

My trust policy looks just like the one in the guide:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::<redacted>:oidc-provider/app.terraform.io"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "app.terraform.io:aud": "aws.workload.identity"
                },
                "StringLike": {
                    "app.terraform.io:sub": "organization:<redacted>:project:AWS_Prod:workspace:Main:run_phase:*"
                }
            }
        }
    ]
}

Am I missing something?

FIXED. Turns out I didn’t capitalize the org name the same way on the TFC side as I did on the AWS side. Ooof.