CloudFormation is not authorized to perform: iam:PassRole on resource
Solution 1
User: arn:aws:sts::156478935478:assumed-role/CodeStarWorker-AppConfig-CloudFormation/AWSCloudFormation is not authorized to perform: iam:PassRole on resource: arn:aws:iam::156478935478:role/service-role/FnRole(Service: AWSLambda; Status Code: 403; Error Code: AccessDeniedException; Request ID: 129f601b-a425-11e8-9659-410b0cc8f4f9)
From this log you can tell what policy (iam:PassRole
) needs to be assigned to the CloudFormation role for your stack (CodeStarWorker-AppConfig-CloudFormation
).
You should:
- Go
IAM > Roles
- Type in search
CodeStarWorker-AppConfig-CloudFormation
- Open that role and go to
Permissions
- Find
CodeStarWorkerCloudFormationRolePolicy
, expand it, goEdit policy
- In this following section under resources add ARN of your role (
arn:aws:iam::579913947261:role/FnRole
), if you don't have that section just copy and paste this, but underResources
use yours ARNs.
Policy:
{
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::156478935478:role/CodeStarWorker-AppConfig-Lambda",
"arn:aws:iam::579913947261:role/FnRole"
],
"Effect": "Allow"
}
If you want to assign that permission to all resources ("Resource": "*"
) find this following section and above under actions add the permission you want to assign:
"Resource": "*",
"Effect": "Allow"
You can do apply this for all others permissions you want to assign to CloudFormation for your resources.
Solution 2
While I can't say specifically what happened in your situation, the error message means that the Role/User that CloudFormation used to deploy resources did not have appropriate iam:PassRole
permissions.
The iam:PassRole
permission is used when assigning a role to resources. For example, when an Amazon EC2 instance is launched with an IAM Role, the entity launching the instance requires permission to specify the IAM Role to be used. This is done to prevent users gaining too much permission. For example, a non-administrative user should not be allowed to launch an instance with an Administrative role, since they would then gain access to additional permissions to which they are not entitled.
In the case of your template, it would appear that CloudFormation is creating a function and is assigning the FnRole
permission to that function. However, the CloudFormation template has not been given permission to assign this role to the function.
When a CloudFormation template is launched, it either provisions resources as the user who is creating the stack, or using an IAM Role specified when the stack is launched. It is that User/Role that requires the iam:PassRole
permissions to use FnRole
.
Second Of Two
Updated on July 15, 2021Comments
-
Second Of Two almost 3 years
This is part of the code of my
template.yml
in Cloud9:Type: 'AWS::Serverless::Function' Properties: Handler: index.handler Runtime: nodejs6.10 CodeUri: . Description: Updates records in the AppConfig table. MemorySize: 128 Timeout: 3 Role: 'arn:aws:iam::579913947261:role/FnRole' Events: Api1: Type: Api Properties:
When I commit the changes in Cloud9, deployment fails at CodePipeline Deploy stage while trying
ExecuteChangeSet
. I get this error:CloudFormation is not authorized to perform: iam:PassRole on resource
Can anyone help?
-
Second Of Two over 5 yearsThanks for the info. Sorry, I should of posted more log info. User: arn:aws:sts::156478935478:assumed-role/CodeStarWorker-AppConfig-CloudFormation/AWSCloudFormation is not authorized to perform: iam:PassRole on resource: arn:aws:iam::156478935478:role/service-role/FnRole(Service: AWSLambda; Status Code: 403; Error Code: AccessDeniedException; Request ID: 129f601b-a425-11e8-9659-410b0cc8f4f9) I am aware that I need to give permission to CloudFormation but I didn't know how to do that and where.
-
Second Of Two over 5 yearsthanks for helping in formatting the answer @John Rotenstein and wish I can mark your answer as useful but I need to have 15 reputation.
-
Sangam Belose about 5 yearsyou wont get reputation on answering own question. This is how stack overflow works.
-
Sangam Belose about 5 years@John Rotenstein accurate and well explained answer.
-
user1412523 almost 5 yearsthere is a small gotcha here to @SecondOfTwo 's answer, if it is an AWS Managed Policy you can't edit it , which is often the case using codepipeline. Just create new policy an attach to Role.