diff --git a/builtin/credential/aws/path_login.go b/builtin/credential/aws/path_login.go
index 2c6b4f69dee2..07168bfa1dbc 100644
--- a/builtin/credential/aws/path_login.go
+++ b/builtin/credential/aws/path_login.go
@@ -1404,6 +1404,10 @@ func parseIamArn(iamArn string) (*iamEntity, error) {
 	// now, entity.FriendlyName should either be <UserName> or <RoleName>
 	switch entity.Type {
 	case "assumed-role":
+		// Check for three parts for assumed role ARNs
+		if len(parts) < 3 {
+			return nil, fmt.Errorf("unrecognized arn: %q contains fewer than 3 slash-separated parts", fullParts[5])
+		}
 		// Assumed roles don't have paths and have a slightly different format
 		// parts[2] is <RoleSessionName>
 		entity.Path = ""
diff --git a/builtin/credential/aws/path_login_test.go b/builtin/credential/aws/path_login_test.go
index d0c69cfce041..a493770bc897 100644
--- a/builtin/credential/aws/path_login_test.go
+++ b/builtin/credential/aws/path_login_test.go
@@ -114,6 +114,10 @@ func TestBackend_pathLogin_parseIamArn(t *testing.T) {
 	if err == nil {
 		t.Error("expected error from empty principal type and no principal name (arn:aws:iam::1234556789012:/)")
 	}
+	_, err = parseIamArn("arn:aws:sts::1234556789012:assumed-role/role")
+	if err == nil {
+		t.Error("expected error from malformed assumed role ARN")
+	}
 }
 
 func TestBackend_validateVaultHeaderValue(t *testing.T) {