Menu
This is part of the code of my template.yml in Cloud9:
Type: 'AWS::Serverless::Function'
Properties:
Handler: index.handler
Runtime: nodejs6.10
CodeUri: .
Description: Updates records in the AppConfig table.
MemorySize: 128
Timeout: 3
Role: 'arn:aws:iam::579913947261:role/FnRole'
Events:
Api1:
Type: Api
Properties:
When I commit the changes in Cloud9, deployment fails at CodePipeline Deploy stage while trying ExecuteChangeSet. I get this error:
CloudFormation is not authorized to perform: iam:PassRole on resource
Can anyone help?
326
If you receive an error that you're not authorized to perform the iam:PassRole action, your policies must be updated to allow you to pass a role to Resource Groups. Some AWS services allow you to pass an existing role to that service instead of creating a new service role or service-linked role.
AWS CloudFormation actions The policy grants permissions to all DescribeStack API actions listed in the Action element. If you don't specify a stack name or ID in your statement, you must also grant the permission to use all resources for the action using the * wildcard for the Resource element.
If you receive an error that you're not authorized to perform the iam:PassRole action, then you must contact your administrator for assistance. Your administrator is the person that provided you with your user name and password. Ask that person to update your policies to allow you to pass a role to Amazon Personalize.
User: arn:aws:sts::156478935478:assumed-role/CodeStarWorker-AppConfig-CloudFormation/AWSCloudFormation is not authorized to perform: iam:PassRole on resource: arn:aws:iam::156478935478:role/service-role/FnRole(Service: AWSLambda; Status Code: 403; Error Code: AccessDeniedException; Request ID: 129f601b-a425-11e8-9659-410b0cc8f4f9)
From this log you can tell what policy (iam:PassRole) needs to be assigned to the CloudFormation role for your stack (CodeStarWorker-AppConfig-CloudFormation).
You should:
IAM > Roles
CodeStarWorker-AppConfig-CloudFormation
Permissions
CodeStarWorkerCloudFormationRolePolicy, expand it, go Edit policy
arn:aws:iam::579913947261:role/FnRole), if you don't have that section just copy and paste this, but under Resources use yours ARNs.Policy:
{
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::156478935478:role/CodeStarWorker-AppConfig-Lambda",
"arn:aws:iam::579913947261:role/FnRole"
],
"Effect": "Allow"
}
If you want to assign that permission to all resources ("Resource": "*") find this following section and above under actions add the permission you want to assign:
"Resource": "*",
"Effect": "Allow"
You can do apply this for all others permissions you want to assign to CloudFormation for your resources.
54
While I can't say specifically what happened in your situation, the error message means that the Role/User that CloudFormation used to deploy resources did not have appropriate iam:PassRole permissions.
The iam:PassRole permission is used when assigning a role to resources. For example, when an Amazon EC2 instance is launched with an IAM Role, the entity launching the instance requires permission to specify the IAM Role to be used. This is done to prevent users gaining too much permission. For example, a non-administrative user should not be allowed to launch an instance with an Administrative role, since they would then gain access to additional permissions to which they are not entitled.
In the case of your template, it would appear that CloudFormation is creating a function and is assigning the FnRole permission to that function. However, the CloudFormation template has not been given permission to assign this role to the function.
When a CloudFormation template is launched, it either provisions resources as the user who is creating the stack, or using an IAM Role specified when the stack is launched. It is that User/Role that requires the iam:PassRole permissions to use FnRole.
27
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
