How to Securely Map TeamCity Projects to Specific AWS IAM Roles?

Hi, we run TeamCity in AWS on a single EC2 instance that assumes IAM roles across many different AWS accounts. Each TeamCity project should only be able to assume a specific role.

Currently, the EC2 instance profile has broad sts:AssumeRole permissions, and we rely only on unique ExternalIDs for each role to prevent misuse.

Our concern is that if a developer discovers a role's ExternalID (which isn't really a secret, and by default is in a standard format anyway), they can create a build to assume that IAM Role they shouldn't have access to, from any project.  This is, as long as they have a project that with a “Default Credential Provider Chain” connection, they can run code to assume any role that they know the ExternalID for.

Any advice on good practice in this area?