Question 102234 in Amazon Web Sevices Question posted in
The official Amazon Web Services documentation can be found here.

Amazon web services – Sam deploy User is not authorized to perform: iam:XXXXRolePolicy despite AdministratorAccess, However works with GUI Cloudformation

I have a template.yaml that worked before and doesn’t work now, I am 90% sure that I didn’t modify anything.

The error message looks like below:

API: iam:PutRolePolicy User: arn:aws:iam::xxxxxoooo:user/ray is not authorized to perform: iam:PutRolePolicy on resource: role cron- LambdaExecutionRole-PTYXWCAQZPOE with an explicit deny in an identity-based policy

I have done the steps below and still fail:

  1. Add AdministratorAccess for user ray, the same error message is still there
  2. Cut out template.yaml from 5 services to only 1, and it still fails
  3. Add inline policies on the role, referenced from link
  4. brew install aws-sam-cli again

However, If I push the Retry button on Cloudformation GUI, it would work.

How can I solve this properly?

Another failed example

template.yaml

AWSTemplateFormatVersion: '2010-09-09' 
Resources:
  BatchTaskFargateRole:
    DeletionPolicy: Retain
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Action:
              - sts:AssumeRole
            Effect: Allow
            Principal:
              Service:
                - ecs-tasks.amazonaws.com
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/CloudWatchLogsFullAccess
    Type: AWS::IAM::Role
Transform: AWS::Serverless-2016-10-31

result

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
ResourceStatus                                 ResourceType                                   LogicalResourceId                              ResourceStatusReason
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
CREATE_IN_PROGRESS                             AWS::IAM::Role                                 BatchTaskFargateRole                           -
CREATE_IN_PROGRESS                             AWS::IAM::Role                                 BatchTaskFargateRole                           Did not have IAM permissions to process tags
                                                                                                                                             on AWS::IAM::Role resource.
CREATE_FAILED                                  AWS::IAM::Role                                 BatchTaskFargateRole                           API: iam:CreateRole User:
                                                                                                                                             arn:aws:iam::xxxxx00000:user/ray is not
                                                                                                                                             authorized to perform: iam:CreateRole on
                                                                                                                                             resource:
                                                                                                                                             arn:aws:iam::xxxxx00000:role/
                                                                                                                                             BatchTaskFargateRole-1SCd8L0GR
                                                                                                                                             with an explicit deny in an identity-based
                                                                                                                                             policy
CREATE_FAILED                                  AWS::CloudFormation::Stack                     test-cloudformation-stack                      The following resource(s) failed to create:
                                                                                                                                             [BatchTaskFargateRole].
Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    It turns out that I cannot succeed with aws s3api list-buckets(Access Denied) I tried to create a new access key and it still doesn't work It seems the user is totally broken Finally, I created a new user and everything is back to normal

    Thanks for the guide here


  2. 0

    Delete the stack, change inline policy of Cloudformation role to

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": "iam:*",
      "Resource": "arn:aws:iam::*:role/*"
    }
  ]
}

    then try to deploy again.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search