[DOCS-13133] Add IAM troubleshooting to AWS manual setup guide

[buraizu]

What does this PR do? What is the motivation?

Adds a "Troubleshoot IAM role issues" section to the AWS Manual Setup Guide, addressing common IAM-related support ticket themes from DOCS-13133. Covers:

• Common trust policy mistakes (wrong account ID, expired external ID, ARN capitalization)
• AWS CLI command to validate role assumption
• Service Control Policy (SCP) interference warning

Merge instructions

Merge readiness:

• Ready for merge

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 8efb9303de

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Restore the partitions reference link target

This change assigns [9] to the AssumeRole troubleshooting page, but the Access Keys setup section already uses [Partitions][9], so that existing link now points to the wrong document instead of AWS partition guidance. Readers following Access Keys setup will be sent to unrelated IAM troubleshooting content, which breaks the instructions flow.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Use a partition-agnostic ARN in the CLI validation step

The new assume-role example hardcodes arn:aws:iam::..., but this same guide supports non-commercial partitions (for example GovCloud in the Role Delegation flow), where the ARN prefix is not arn:aws. Users in those partitions who copy this command will get a failed validation for the wrong reason, which undermines the troubleshooting step.

Useful? React with 👍 / 👎.

[github-actions]

Preview links (active after the build_preview check completes)

Modified Files

• https://docs-staging.datadoghq.com/docs13133/aws-manual-setup-iam-troubleshooting/integrations/guide/aws-manual-setup

[buraizu]

Re: partition-agnostic ARN — Applied, replaced hardcoded arn:aws with a <YOUR_PARTITION> placeholder and added guidance line with commercial and GovCloud examples in f633aa2.

[buraizu]

Re: link collision — Applied, added missing [9] Partitions link definition to the Access Keys tab to fix the collision in f633aa2.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: f633aa279b

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Remove customer-side AssumeRole validation step

This troubleshooting step tells customers to run aws sts assume-role from their own CLI session and concludes that any failure means the role config is wrong, but in this setup the role trust policy is intentionally limited to Datadog’s AWS account principal (see content/en/integrations/guide/error-datadog-not-authorized-sts-assume-role.md lines 19-31), so customer credentials are typically not allowed to assume the role at all. In that common case the command will fail even when the integration is configured correctly, leading to a false negative and incorrect remediation.

Useful? React with 👍 / 👎.

[buraizu]

Re: customer-side AssumeRole validation — Applied, replaced the aws sts assume-role CLI step with UI-based validation guidance, since the trust policy only allows Datadog's AWS account to assume the role and customer credentials would produce a false negative in 37e27e5.