CloudFormation is not authorized to perform: iam:PassRole on resource

amazon-web-services aws-lambda amazon-cloudformation amazon-iam
26,307

Solution 1

User: arn:aws:sts::156478935478:assumed-role/CodeStarWorker-AppConfig-CloudFormation/AWSCloudFormation is not authorized to perform: iam:PassRole on resource: arn:aws:iam::156478935478:role/service-role/FnRole(Service: AWSLambda; Status Code: 403; Error Code: AccessDeniedException; Request ID: 129f601b-a425-11e8-9659-410b0cc8f4f9)

From this log you can tell what policy (iam:PassRole) needs to be assigned to the CloudFormation role for your stack (CodeStarWorker-AppConfig-CloudFormation).

You should:

  • Go IAM > Roles
  • Type in search CodeStarWorker-AppConfig-CloudFormation
  • Open that role and go to Permissions
  • Find CodeStarWorkerCloudFormationRolePolicy, expand it, go Edit policy
  • In this following section under resources add ARN of your role (arn:aws:iam::579913947261:role/FnRole), if you don't have that section just copy and paste this, but under Resources use yours ARNs.

Policy:

{
    "Action": [
        "iam:PassRole"
    ],
    "Resource": [
        "arn:aws:iam::156478935478:role/CodeStarWorker-AppConfig-Lambda",
        "arn:aws:iam::579913947261:role/FnRole"
    ],
    "Effect": "Allow"
}

If you want to assign that permission to all resources ("Resource": "*") find this following section and above under actions add the permission you want to assign:

"Resource": "*",
"Effect": "Allow"

You can do apply this for all others permissions you want to assign to CloudFormation for your resources.

Solution 2

While I can't say specifically what happened in your situation, the error message means that the Role/User that CloudFormation used to deploy resources did not have appropriate iam:PassRole permissions.

The iam:PassRole permission is used when assigning a role to resources. For example, when an Amazon EC2 instance is launched with an IAM Role, the entity launching the instance requires permission to specify the IAM Role to be used. This is done to prevent users gaining too much permission. For example, a non-administrative user should not be allowed to launch an instance with an Administrative role, since they would then gain access to additional permissions to which they are not entitled.

In the case of your template, it would appear that CloudFormation is creating a function and is assigning the FnRole permission to that function. However, the CloudFormation template has not been given permission to assign this role to the function.

When a CloudFormation template is launched, it either provisions resources as the user who is creating the stack, or using an IAM Role specified when the stack is launched. It is that User/Role that requires the iam:PassRole permissions to use FnRole.

Share:
26,307
Second Of Two
Author by

Second Of Two

Updated on July 15, 2021

Comments

  • Second Of Two
    Second Of Two almost 3 years

    This is part of the code of my template.yml in Cloud9:

    Type: 'AWS::Serverless::Function'
Properties:
  Handler: index.handler
  Runtime: nodejs6.10
  CodeUri: .
  Description: Updates records in the AppConfig table.
  MemorySize: 128
  Timeout: 3
  Role: 'arn:aws:iam::579913947261:role/FnRole'
  Events:
    Api1:
      Type: Api
      Properties:

    When I commit the changes in Cloud9, deployment fails at CodePipeline Deploy stage while trying ExecuteChangeSet. I get this error:

    CloudFormation is not authorized to perform: iam:PassRole on resource

    Can anyone help?

  • Second Of Two
    Second Of Two over 5 years
    Thanks for the info. Sorry, I should of posted more log info. User: arn:aws:sts::156478935478:assumed-role/CodeStarWorker-AppCon‌​fig-CloudFormation/A‌​WSCloudFormation is not authorized to perform: iam:PassRole on resource: arn:aws:iam::156478935478:role/service-role/FnRole(Service: AWSLambda; Status Code: 403; Error Code: AccessDeniedException; Request ID: 129f601b-a425-11e8-9659-410b0cc8f4f9) I am aware that I need to give permission to CloudFormation but I didn't know how to do that and where.
  • Second Of Two
    Second Of Two over 5 years
    thanks for helping in formatting the answer @John Rotenstein and wish I can mark your answer as useful but I need to have 15 reputation.
  • Sangam Belose
    Sangam Belose about 5 years
    you wont get reputation on answering own question. This is how stack overflow works.
  • Sangam Belose
    Sangam Belose about 5 years
    @John Rotenstein accurate and well explained answer.
  • user1412523
    user1412523 almost 5 years
    there is a small gotcha here to @SecondOfTwo 's answer, if it is an AWS Managed Policy you can't edit it , which is often the case using codepipeline. Just create new policy an attach to Role.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Invoke an AWS lambda across regions
Attach policy to a IAM Role
AWS Cloudformation: Invalid template resource property error
How to troubleshoot this AWS lambda error - An error has occurred: Received error response from Lambda: Unhandled?
Work around circular dependency in AWS CloudFormation
Giving access to AWS Lambda service with limited policy
AWS Cloudformation : Passing environmental variables as parameters to lambda functions
AWS CodePipeline error: Cross-account pass role is not allowed
AWS IAM Cloudformation YAML template errror: 'null' values are not allowed
Access Denied using boto3 through aws Lambda