Menu
I am trying to execute a cloudformation stack which contains the following resources:
While trying to execute the stack, it fails with the following error:
arn:aws:iam::ACCOUNT_ID:role/CodePipelineRole is not authorized to perform AssumeRole on role arn:aws:iam::ACCOUNT_ID:role/CodePipelineRole (Service: AWSCodePipeline; Status Code: 400; Error Code: InvalidStructureException; Request ID: 7de2b1c6-a432-47e6-8208-2c0072ebaf4b)
I created the role using a managed policy, but I have already tried with a normal policy and it does not work neither.
This is the Role Policy:
CodePipelinePolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
Description: 'This policy grants permissions to a service role to enable Codepipeline to use multiple AWS Resources on the users behalf'
Path: "/"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Resource: "*"
Effect: "Allow"
Condition: {}
Action:
- autoscaling:*
- cloudwatch:*
- cloudtrail:*
- cloudformation:*
- codebuild:*
- codecommit:*
- codedeploy:*
- codepipeline:*
- ec2:*
- ecs:*
- ecr:*
- elasticbeanstalk:*
- elasticloadbalancing:*
- iam:*
- lambda:*
- logs:*
- rds:*
- s3:*
- sns:*
- ssm:*
- sqs:*
- kms:*
This is the Role
CodePipelineRole:
Type: "AWS::IAM::Role"
Properties:
RoleName: !Sub ${EnvironmentName}-CodePipelineRole
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Action:
- 'sts:AssumeRole'
Effect: Allow
Principal:
Service:
- codepipeline.amazonaws.com
Path: /
ManagedPolicyArns:
- !Ref CodePipelinePolicy
What intrigues me the most is that it seems like CodePipelineRole is trying to AssumeRole to itself. I'm not understanding what can be happening here.
And when I set the policy's action to *, it works! I don't know what permissions could be missing.
Thanks
295
Go to AWS Console. Find the user whose credentials you are using IAM > Access Management > Users. Permissions > 'Add Permissions' > 'Attach existing policies directly'
To allow users to assume the current role again within a role session, specify the role ARN or AWS account ARN as a principal in the role trust policy.
For example, if your template is creating an S3 bucket, then you need permissions to create new objects in S3. Your target account always needs full Amazon CloudFormation permissions, which include permissions to create, update, delete, and describe stacks.
I am not authorized to perform an action in CodePipeline If the AWS Management Console tells you that you're not authorized to perform an action, you must contact your administrator for assistance. Your administrator is the person who provided you with your user name and password.
It is to do with the trust relationship for the role you have created i.e. CodePipelineRole
Go to the Role in IAM
Select the Trust Relationships tab ...
Then Edit Trust Relationship to include codepipeline
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"codepipeline.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}```
It seems like, behind the scenes, AWS services keep some kind of role cache. If you try to make a role, attach a policy and create a new CodeBuild project sequentially, CodeBuild will give an unauthorized error because it can't find the role. It's similar to getting a forbidden access error on a non-existing bucket (instead of a 404). If you separate the stack in two other stacks: first you create the roles and then you create the CodeBuild, it works. I don't understand why the CLI command works instantly though.
23
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
