mulesoft · luanamulesoft · Mar 20, 2026 · Mar 6, 2026 · Mar 20, 2026 · Mar 20, 2026
@@ -164,11 +164,35 @@ include::partial$select-private-space.adoc[tag=clickAdvanced]
 . Click *Enable AWS Service Role*.
 . Click *Save Changes* or *Discard changes*.
 +
-A unique service role name is generated, and you can use this role configure to configure identity and access management for AWS. Role generation might take a few minutes. If the role name does not appear, refresh the page.
+A unique service role name is generated, and you can use this role to configure identity and access management for AWS. Role generation takes a few minutes. If the role name doesn't appear, refresh the page.
 
 [NOTE]
-You can configure only one AWS service role per private space.
+Each private space supports only one AWS service role.
+
+[[aws-iam-role-sts-s3-connector-conflict]]
+=== IAM Roles and AWS S3 Connector: STS Endpoint Behavior
+
+When you enable the AWS service role for a private space, the EKS cluster injects environment variables such as `AWS_STS_REGIONAL_ENDPOINTS=regional`. The AWS SDK credential provider that this setup uses, WebIdentityTokenFileCredentialsProvider, ignores any custom `endpointOverride` or STS endpoint settings in your Mule application and always uses the default regional STS endpoint.
+
+[IMPORTANT]
+====
+When you enable a Private Space IAM role, the AWS SDK ignores custom STS endpoints in your Mule code and uses the public regional STS endpoint. If your network firewall or application-level egress rules don't allow outbound traffic to that STS endpoint, connectivity tests for the AWS S3 Connector and other AWS SDK-based connectors fail and applications hang or stop progressing. Allow the public regional STS endpoint, such as `sts.{region}.amazonaws.com`, in your private space firewall rules and, if you use them, in your application-level egress rules.
+====
+
+To allow connectivity, allow outbound HTTPS on port 443 to the regional STS endpoint for the region where your private space runs. Configure this in xref:ps-config-fw-rules.adoc[] and, when using app-level egress, in xref:ps-config-app-level-egress.adoc[].
+
+If allowlisting isn't possible, set the `AWS_ENDPOINT_URL` environment variable for your application to the desired STS endpoint URL so the SDK uses it instead of the default regional endpoint.
+
+To apply the workaround:
+
+. In Runtime Manager, open your application and go to the *Settings* > *Properties* tab.
+. Add an application property or environment variable that sets `AWS_ENDPOINT_URL` to your STS endpoint URL, for example `https://sts.{region}.amazonaws.com` or your custom endpoint.
+. Apply the changes and redeploy or restart the application, so the runtime uses the new value.
+
+For more information about setting environment variables or properties for your application, see xref:ch2-manage-props.adoc#example-using-properties-to-set-environment-variables[Example: Using Properties to Set Environment Variables].
 
 == See Also
 
+* xref:ps-config-fw-rules.adoc[]
+* xref:ps-config-app-level-egress.adoc[]
 * https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html[IAM roles^] in the AWS documentation
@@ -189,7 +189,9 @@ Examples of affected endpoints include:
 * AWS CloudWatch endpoints with short TTLs
 * Other cloud provider endpoints with dynamic IP pools and aggressive TTLs
 
-Avoid configuring application-level egress rules for these scenarios. For more information, see https://help.salesforce.com/s/issue?language=en_US&id=a02Ka00000llC4i[Known Issue: App-level Egress Rules with Low TTL Domains^].
+Avoid configuring application-level egress rules for these scenarios.
+
+When you enable an xref:ps-config-advanced.adoc#configure-aws-role[AWS service role] for your private space, applications using the AWS S3 Connector or other AWS SDK-based connectors require outbound access to the public regional STS endpoint, such as `sts.{region}.amazonaws.com`. The AWS SDK ignores custom STS endpoints in Mule and uses the regional STS endpoint. If you use application-level egress rules, allow the STS endpoint for your region. For details and a workaround, see xref:ps-config-advanced.adoc#aws-iam-role-sts-s3-connector-conflict[IAM Roles and AWS S3 Connector: STS Endpoint Behavior]. For more information, see https://help.salesforce.com/s/issue?language=en_US&id=a02Ka00000llC4i[Known Issue: App-level Egress Rules with Low TTL Domains^].
 
 
 [IMPORTANT]