No permission to assume role when auto deploying dax

Question

I am attempting to auto-deploy DAX for DynamoDB, but keep getting the following error from both python and CLI:

An error occurred (InvalidParameterValueException) when calling the CreateCluster operation: No permission to assume role: arn:aws:iam::xxxxxxxxxxxx:role/service-role/230e772f-DAXServiceRole

The CLI command i use is:

aws dax create-cluster --region some.region --cluster-name some.dax_name --node-type some.node_type --replication-factor 1 --subnet-group-name some.subnet_group_name --security-group-ids some.security_group_id --iam-role-arn some.iam_role_arn

Running this directly from the cli, works fine, running it manually through console also works fine. Anyone else had this issue?

Your question is a bit confusing you say the CLI gives the error then saying running it directly from the CLI works? So which one is it? Do you have rights to assume that role? — Brandon Miller, Jun 08 '18 at 02:49
I do have rights, I am attempting to run from a python script, either encapsulated CLI or boto3, which causes the error. But when I use the same CLI directly from the command line, it runs fine with the same role/policy. — Flint Dominic, Jun 08 '18 at 17:25
I tried mangling the arn variable, and it looks like the same error, I'm thinking its misspelled somehow, I'll try and output the arn after the role is created then using that result as the variable. — Flint Dominic, Jun 08 '18 at 19:38
OK, even after getting the ARN directly from the JSON output after creating the role, still has same error. — Flint Dominic, Jun 08 '18 at 20:08

Flint Dominic · Answer 1 · 2018-06-20T00:27:06.833

0

OK, looks like my script was attempting to create the DAX cluster too soon after it created the role. This caused it to not be able to find it. I added time between and it was able to find the role.

edited Jun 20 '18 at 00:27

answered Jun 20 '18 at 00:05

Flint Dominic

86
5

How much sleep time did you put? – Stephen Senkomago Musoke Jun 18 '19 at 19:34
i added 2 minutes between. – Flint Dominic Jun 19 '19 at 20:16
Awesome thanks - I found 10 seconds seems to work for me – Stephen Senkomago Musoke Jun 20 '19 at 11:09

score 0 · Answer 2 · answered Aug 26 '20 at 20:20

The IAM role needs to be created with service or else you will face the same error, for example I have created role with below policy and I faced the same issue.

{
    "Version": "2012-10-17",
    "Statement": [
       {
            "Effect": "Allow",
            "Principal": {
                "AWS": "some role arn"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

Basically the above policy will add trust entities under Principal.

Dax IAM role need to create with below policy method to avoid above error.

{
    "Version": "2012-10-17",
    "Statement": [
       {
            "Effect": "Allow",
            "Principal": {
                "Service": "dax.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

For more details please check aws doc https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/DAX.create-cluster.cli.create-service-role.html

No permission to assume role when auto deploying dax

2 Answers2