AWS Cloudformation Role is not authorized to perform AssumeRole on Role

Question 1

I am trying to execute a cloudformation stack which contains the following resources:

Codebuild project
Codepipeline pipeline
Roles needed

While trying to execute the stack, it fails with the following error:

arn:aws:iam::ACCOUNT_ID:role/CodePipelineRole is not authorized to perform AssumeRole on role arn:aws:iam::ACCOUNT_ID:role/CodePipelineRole (Service: AWSCodePipeline; Status Code: 400; Error Code: InvalidStructureException; Request ID: 7de2b1c6-a432-47e6-8208-2c0072ebaf4b)

I created the role using a managed policy, but I have already tried with a normal policy and it does not work neither.

This is the Role Policy:

CodePipelinePolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
  Description: 'This policy grants permissions to a service role to enable Codepipeline to use multiple AWS Resources on the users behalf'
  Path: "/"
  PolicyDocument:
    Version: "2012-10-17"
    Statement:
      - Resource: "*"
        Effect: "Allow"
        Condition: {}
        Action:
          - autoscaling:*
          - cloudwatch:*
          - cloudtrail:*
          - cloudformation:*
          - codebuild:*
          - codecommit:*
          - codedeploy:*
          - codepipeline:*
          - ec2:*
          - ecs:*
          - ecr:*
          - elasticbeanstalk:*
          - elasticloadbalancing:*
          - iam:*
          - lambda:*
          - logs:*
          - rds:*
          - s3:*
          - sns:*
          - ssm:*
          - sqs:*
          - kms:*

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

CodePipelinePolicy:

Type: AWS::IAM::ManagedPolicy

Properties:

Description: 'This policy grants permissions to a service role to enable Codepipeline to use multiple AWS Resources on the users behalf'

Path: "/"

PolicyDocument:

Version: "2012-10-17"

Statement:

- Resource: "*"

Effect: "Allow"

Condition: {}

Action:

- autoscaling:*

- cloudwatch:*

- cloudtrail:*

- cloudformation:*

- codebuild:*

- codecommit:*

- codedeploy:*

- codepipeline:*

- ec2:*

- ecs:*

- ecr:*

- elasticbeanstalk:*

- elasticloadbalancing:*

- iam:*

- lambda:*

- logs:*

- rds:*

- s3:*

- sns:*

- ssm:*

- sqs:*

- kms:*

This is the Role

CodePipelineRole:
Type: "AWS::IAM::Role"
Properties:
  RoleName: !Sub ${EnvironmentName}-CodePipelineRole
  AssumeRolePolicyDocument:
    Version: '2012-10-17'
    Statement:
      - Action:
        - 'sts:AssumeRole'
        Effect: Allow
        Principal:
          Service:
          - codepipeline.amazonaws.com
  Path: /
  ManagedPolicyArns:
    - !Ref CodePipelinePolicy

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

CodePipelineRole:

Type: "AWS::IAM::Role"

Properties:

RoleName: !Sub ${EnvironmentName}-CodePipelineRole

AssumeRolePolicyDocument:

Version: '2012-10-17'

Statement:

- Action:

- 'sts:AssumeRole'

Effect: Allow

Principal:

Service:

- codepipeline.amazonaws.com

Path: /

ManagedPolicyArns:

- !Ref CodePipelinePolicy

What intrigues me the most is that it seems like CodePipelineRole is trying to AssumeRole to itself. I’m not understanding what can be happening here.

And when I set the policy’s action to *, it works! I don’t know what permissions could be missing.

Thanks

Question 2

It is to do with the trust relationship for the role you have created i.e. CodePipelineRole

Go to the Role in IAM
Select the Trust Relationships tab …

Then Edit Trust Relationship to include codepipeline

  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "codepipeline.amazonaws.com"
        ]
      },
      "Action": "sts:AssumeRole"
    }
  ]
}```

1

2

3

4

5

6

7

8

9

10

11

12

13

14

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Principal": {

"Service": [

"codepipeline.amazonaws.com"

]

},

"Action": "sts:AssumeRole"

}

]

}```

AWS Cloudformation Role is not authorized to perform AssumeRole on Role

Question:

Answer:

Leave a Reply Cancel reply