Unable to delete cfn stack, role is invalid or cannot be assumed

amazon-web-services amazon-cloudformation aws-codepipeline aws-codecommit
12,785

Solution 1

I've had this problem a few times. The solution is a bit of a hack. In your case, you need to create a new role named CloudFormationRole-NestedCFN-CodePipeline. When you create this role, you'll likely need to select the CloudFormation service when it asks you to Choose the service that will use this role and then Attach permissions policies. Once the role is created, try to delete the stack again.
Some of this is a guessing game because you need to choose the correct resource (i.e. AWS service) that is a "trusted entity". Based on your role name, it's either CloudFormation or CodePipeline.

After you delete the CloudFormation stack, you can delete the IAM role you just created.

The reason you get this error is because you probably deleted a CloudFormation stack that has an IAM role that's being used by the stack you're trying to delete.

I wish there was a more elegant solution from AWS but this was my workaround.

Solution 2

I got the same problem and the only way to delete the stack was using the AWS CLI and executing the following command:

aws cloudformation delete-stack --role-arn arn:aws:iam::xxxx:role/anyrolewithpermissions --stack-name StuckStack

just be sure to use another role with enough permissions.

Solution 3

This usually happens when a role required to delete the stack has been accidentally deleted. You may get the error message

Role arn:aws:iam::<account>:role/<role name> is invalid or cannot be assumed

Go to IAM > roles > create role > click on cloudformation for the service > make sure you give it the right permissions so that cloudformation can delete the stack. (In my case I gave it admin permissions because I was planning to delete the role straight after I deleted the stack > for Role name use the same role name in the error message.

You should now be able to delete the stack

Share:
12,785
pelican
Author by

pelican

Updated on June 07, 2022

Comments

  • pelican
    pelican almost 2 years

    I'm new to aws cloudformation; I'm wondering if anybody knows of a way to force delete a stack when it just won't delete. It fails with this error: 

    Failed to delete stack: Role arn:aws:iam::role/CloudFormationRole-NestedCFN-CodePipeline is invalid or cannot be assumed

    This error usually happens when I try to delete a nested child stack instead of starting by deleting the parent stack first. Is there any way to delete the nested stack if I accidentally deleteted the parent stack?

  • pelican
    pelican about 6 years
    Thanks very much, the hack worked for me! The other suggested solutions below didn't quite work but thanks for helping me out everyone!
  • Milan Cermak
    Milan Cermak about 5 years
    I would upvote this twice if I could. Helped me every time.
  • AHalbert
    AHalbert almost 5 years
    This helped me when creating the a role of the same name as the deleted role did not.
  • robscodebase
    robscodebase almost 4 years
    This helped me big time. I was trying to delete a nested stack but kept getting role is invalid or cannot be assumed even after creating new roles. I created a cloudformation-admin role with enough permissions to delete items in the stack and this command worked. Thanks.
  • badfun
    badfun about 3 years
    Excellent. Thank you. The 'official' method (aws.amazon.com/premiumsupport/knowledge-center/…) did not work for me. It's so hacky... hard to believe they documented it instead of coming up with a way to do this in the console.
  • Hom Bahrani
    Hom Bahrani about 3 years
    thanks, this is not a hack but a good solution. As you mentioned its most likely because the IAM role required to delete the stack has been accidentally deleted
  • Andy
    Andy about 2 years
    there is a slightly clearer article on the knowledge center now aws.amazon.com/premiumsupport/knowledge-center/…
  • user1751825
    user1751825 about 2 years
    This was the only solution that worked for me.
  • Jonathan Heinen
    Jonathan Heinen about 2 years
    Simple solution that works perfectly fine!
  • Alireza
    Alireza about 2 years
    Make sure to replace xxxx with your account id and anyrolewithpermission with a valid role with the required permission. If you don't know what permissions are required, just create a new temporary role with admin permissions.
  • Luan Pham
    Luan Pham almost 2 years
    Four years have passed, this is still the best solution!

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

AWS CodePipeline error: Cross-account pass role is not allowed
When do I need to have CAPABILITY_NAMED_IAM
How can I (securely) download a private S3 asset onto a new EC2 instance with cloudinit?
Codepipeline: Insufficient permissions Unable to access the artifact with Amazon S3 object key
How to add multiple security groups and group names in cloudformation using template?
How to set DynamoDB Read/write capacity mode to On-demand on CloudFormation
AWS::CloudFormation::Init how does it work?
AWS Cloudformation - How to use If Else conditions
AWS cloudformation: One big template file or many small ones?
Create Nested If else in AWS Cloud Formation Template