16

This is part of the code of my template.yml in Cloud9:

Type: 'AWS::Serverless::Function'
Properties:
  Handler: index.handler
  Runtime: nodejs6.10
  CodeUri: .
  Description: Updates records in the AppConfig table.
  MemorySize: 128
  Timeout: 3
  Role: 'arn:aws:iam::579913947261:role/FnRole'
  Events:
    Api1:
      Type: Api
      Properties:

When I commit the changes in Cloud9, deployment fails at CodePipeline Deploy stage while trying ExecuteChangeSet. I get this error:

CloudFormation is not authorized to perform: iam:PassRole on resource

Can anyone help?

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
Second Of Two
  • 469
  • 1
  • 5
  • 10

5 Answers5

29

User: arn:aws:sts::156478935478:assumed-role/CodeStarWorker-AppConfig-CloudFormation/AWSCloudFormation is not authorized to perform: iam:PassRole on resource: arn:aws:iam::156478935478:role/service-role/FnRole(Service: AWSLambda; Status Code: 403; Error Code: AccessDeniedException; Request ID: 129f601b-a425-11e8-9659-410b0cc8f4f9)

From this log you can tell what policy (iam:PassRole) needs to be assigned to the CloudFormation role for your stack (CodeStarWorker-AppConfig-CloudFormation).

You should:

  • Go IAM > Roles
  • Type in search CodeStarWorker-AppConfig-CloudFormation
  • Open that role and go to Permissions
  • Find CodeStarWorkerCloudFormationRolePolicy, expand it, go Edit policy
  • In this following section under resources add ARN of your role (arn:aws:iam::579913947261:role/FnRole), if you don't have that section just copy and paste this, but under Resources use yours ARNs.

Policy:

{
    "Action": [
        "iam:PassRole"
    ],
    "Resource": [
        "arn:aws:iam::156478935478:role/CodeStarWorker-AppConfig-Lambda",
        "arn:aws:iam::579913947261:role/FnRole"
    ],
    "Effect": "Allow"
}

If you want to assign that permission to all resources ("Resource": "*") find this following section and above under actions add the permission you want to assign:

"Resource": "*",
"Effect": "Allow"

You can do apply this for all others permissions you want to assign to CloudFormation for your resources.

Second Of Two
  • 469
  • 1
  • 5
  • 10
  • thanks for helping in formatting the answer @John Rotenstein and wish I can mark your answer as useful but I need to have 15 reputation. – Second Of Two Aug 22 '18 at 06:06
  • you wont get reputation on answering own question. This is how stack overflow works. – Sangam Belose Feb 08 '19 at 16:04
  • there is a small gotcha here to @SecondOfTwo 's answer, if it is an AWS Managed Policy you can't edit it , which is often the case using codepipeline. Just create new policy an attach to Role. – user1412523 Jul 19 '19 at 13:33
23

While I can't say specifically what happened in your situation, the error message means that the Role/User that CloudFormation used to deploy resources did not have appropriate iam:PassRole permissions.

The iam:PassRole permission is used when assigning a role to resources. For example, when an Amazon EC2 instance is launched with an IAM Role, the entity launching the instance requires permission to specify the IAM Role to be used. This is done to prevent users gaining too much permission. For example, a non-administrative user should not be allowed to launch an instance with an Administrative role, since they would then gain access to additional permissions to which they are not entitled.

In the case of your template, it would appear that CloudFormation is creating a function and is assigning the FnRole permission to that function. However, the CloudFormation template has not been given permission to assign this role to the function.

When a CloudFormation template is launched, it either provisions resources as the user who is creating the stack, or using an IAM Role specified when the stack is launched. It is that User/Role that requires the iam:PassRole permissions to use FnRole.

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
  • Thanks for the info. Sorry, I should of posted more log info. User: arn:aws:sts::156478935478:assumed-role/CodeStarWorker-AppConfig-CloudFormation/AWSCloudFormation is not authorized to perform: iam:PassRole on resource: arn:aws:iam::156478935478:role/service-role/FnRole(Service: AWSLambda; Status Code: 403; Error Code: AccessDeniedException; Request ID: 129f601b-a425-11e8-9659-410b0cc8f4f9) I am aware that I need to give permission to CloudFormation but I didn't know how to do that and where. – Second Of Two Aug 22 '18 at 04:20
  • 1
    @John Rotenstein accurate and well explained answer. – Sangam Belose Feb 08 '19 at 16:07
0

If you change the name of the role from: RoleName: 'arn:aws:iam::579913947261:role/FnRole'

To include the prefix of CodeStar-${ProjectId} then the role can be created/updated/etc without having to modify the IAM policy of the CodeStarWorker-AppConfig-CloudFormation role. e.g. RoleName: !Sub 'CodeStar-${ProjectId}-[FunctionName]'

I posted a full explanation here: Change IAM Role for a Lambda in a CloudFormation template in a CodeStar project?

AlexB
  • 171
  • 1
  • 8
-1

To enable we reduce the complications on how people get along with AWS.

The action part in the policy Json has to be updated.

"iam:PassRole"

Should be added to the action block bracket in the policy file.

Codedreamer
  • 1,552
  • 15
  • 13
-1

You just need to put this in your policy

 {
        "Sid": "PolicyStatementToAllowUserToPassOneSpecificRole",
        "Effect": "Allow",
        "Action": [ "iam:PassRole" ],
        "Resource": "arn:aws:iam::<account-id>:role/RDS-Monitoring-Role"
    }

Link https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html

joe06
  • 418
  • 4
  • 17