Historically, the external ID was well-known (the account ID) when storage credentials were created by account admins. Now that storage credentials can be created by non-admins, we want to show an example where the storage credential's external ID is propagated to the IAM role. This does have the strange side effect that we need to know the IAM role ARN before the IAM role itself is created, but because that follows a fixed pattern provided the AWS partition, account ID and role name, that is possible.
Historically, the external ID was well-known (the account ID) when storage credentials were created by account admins. Now that storage credentials can be created by non-admins, we want to show an example where the storage credential's external ID is propagated to the IAM role. This does have the strange side effect that we need to know the IAM role ARN before the IAM role itself is created, but because that follows a fixed pattern provided the AWS partition, account ID and role name, that is possible.