diff --git a/builtin/credential/aws/path_login.go b/builtin/credential/aws/path_login.go
index 2f22c4d17d7e..cca2d757a766 100644
--- a/builtin/credential/aws/path_login.go
+++ b/builtin/credential/aws/path_login.go
@@ -1318,6 +1318,9 @@ func parseIamArn(iamArn string) (*iamEntity, error) {
 	// most people would expect, which is arn:aws:iam::<account_id>:role/<RoleName>
 	var entity iamEntity
 	fullParts := strings.Split(iamArn, ":")
+	if len(fullParts) != 6 {
+		return nil, fmt.Errorf("unrecognized arn: contains %d colon-separated parts, expected 6", len(fullParts))
+	}
 	if fullParts[0] != "arn" {
 		return nil, fmt.Errorf("unrecognized arn: does not begin with arn:")
 	}
@@ -1330,6 +1333,9 @@ func parseIamArn(iamArn string) (*iamEntity, error) {
 	entity.AccountNumber = fullParts[4]
 	// fullParts[5] would now be something like user/<UserName> or assumed-role/<RoleName>/<RoleSessionName>
 	parts := strings.Split(fullParts[5], "/")
+	if len(parts) < 2 {
+		return nil, fmt.Errorf("unrecognized arn: %q contains fewer than 2 slash-separated parts", fullParts[5])
+	}
 	entity.Type = parts[0]
 	entity.Path = strings.Join(parts[1:len(parts)-1], "/")
 	entity.FriendlyName = parts[len(parts)-1]
diff --git a/builtin/credential/aws/path_login_test.go b/builtin/credential/aws/path_login_test.go
index 58f253bb161f..f813a5865df2 100644
--- a/builtin/credential/aws/path_login_test.go
+++ b/builtin/credential/aws/path_login_test.go
@@ -88,6 +88,27 @@ func TestBackend_pathLogin_parseIamArn(t *testing.T) {
 		"",
 		iamEntity{Partition: "aws", AccountNumber: "123456789012", Type: "instance-profile", Path: "profilePath", FriendlyName: "InstanceProfileName"},
 	)
+
+	// Test that it properly handles pathological inputs...
+	_, err := parseIamArn("")
+	if err == nil {
+		t.Error("expected error from empty input string")
+	}
+
+	_, err = parseIamArn("arn:aws:iam::123456789012:role")
+	if err == nil {
+		t.Error("expected error from malformed ARN without a role name")
+	}
+
+	_, err = parseIamArn("arn:aws:iam")
+	if err == nil {
+		t.Error("expected error from incomplete ARN (arn:aws:iam)")
+	}
+
+	_, err = parseIamArn("arn:aws:iam::1234556789012:/")
+	if err == nil {
+		t.Error("expected error from empty principal type and no principal name (arn:aws:iam::1234556789012:/)")
+	}
 }
 
 func TestBackend_validateVaultHeaderValue(t *testing.T) {