18

I am trying to execute a cloudformation stack which contains the following resources:

  • Codebuild project
  • Codepipeline pipeline
  • Roles needed

While trying to execute the stack, it fails with the following error:

arn:aws:iam::ACCOUNT_ID:role/CodePipelineRole is not authorized to perform AssumeRole on role arn:aws:iam::ACCOUNT_ID:role/CodePipelineRole (Service: AWSCodePipeline; Status Code: 400; Error Code: InvalidStructureException; Request ID: 7de2b1c6-a432-47e6-8208-2c0072ebaf4b)

I created the role using a managed policy, but I have already tried with a normal policy and it does not work neither.

This is the Role Policy:

CodePipelinePolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
  Description: 'This policy grants permissions to a service role to enable Codepipeline to use multiple AWS Resources on the users behalf'
  Path: "/"
  PolicyDocument:
    Version: "2012-10-17"
    Statement:
      - Resource: "*"
        Effect: "Allow"
        Condition: {}
        Action:
          - autoscaling:*
          - cloudwatch:*
          - cloudtrail:*
          - cloudformation:*
          - codebuild:*
          - codecommit:*
          - codedeploy:*
          - codepipeline:*
          - ec2:*
          - ecs:*
          - ecr:*
          - elasticbeanstalk:*
          - elasticloadbalancing:*
          - iam:*
          - lambda:*
          - logs:*
          - rds:*
          - s3:*
          - sns:*
          - ssm:*
          - sqs:*
          - kms:*

This is the Role 

CodePipelineRole:
Type: "AWS::IAM::Role"
Properties:
  RoleName: !Sub ${EnvironmentName}-CodePipelineRole
  AssumeRolePolicyDocument:
    Version: '2012-10-17'
    Statement:
      - Action:
        - 'sts:AssumeRole'
        Effect: Allow
        Principal:
          Service:
          - codepipeline.amazonaws.com
  Path: /
  ManagedPolicyArns:
    - !Ref CodePipelinePolicy

What intrigues me the most is that it seems like CodePipelineRole is trying to AssumeRole to itself. I'm not understanding what can be happening here.

And when I set the policy's action to *, it works! I don't know what permissions could be missing.

Thanks

Juan Rivillas
  • 897
  • 2
  • 9
  • 23
  • Are you trying ot use the same role for the CodePipeline role and the CloudFormation or action role? Try a different role and see if the error is still there. – TimB Nov 27 '18 at 17:46
  • Did you ever figure this out? I'm having the same issue. – user4601931 Dec 28 '18 at 07:57
  • Same problem here, any answer yet? – David J Eddy Jan 24 '19 at 18:12
  • 1
    Just had this happen to me for a codepipeline. I ended up waiting a couple minutes and clicked create again and it just worked – Frank Apr 03 '19 at 15:34
  • 2
    Maybe you need to edit on the [Trust Relationships](https://docs.aws.amazon.com/codedeploy/latest/userguide/getting-started-create-service-role.html) tab, not sure. – Jordan Jul 03 '19 at 17:55

5 Answers5

10

It is to do with the trust relationship for the role you have created i.e. CodePipelineRole

  1. Go to the Role in IAM

  2. Select the Trust Relationships tab ...

  3. Then Edit Trust Relationship to include codepipeline

      "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "codepipeline.amazonaws.com"
        ]
      },
      "Action": "sts:AssumeRole"
    }
  ]
}```
theabrar
  • 95
  • 1
  • 8
OneMoreNerd
  • 463
  • 1
  • 6
  • 19
3

It seems like, behind the scenes, AWS services keep some kind of role cache. If you try to make a role, attach a policy and create a new CodeBuild project sequentially, CodeBuild will give an unauthorized error because it can't find the role. It's similar to getting a forbidden access error on a non-existing bucket (instead of a 404). If you separate the stack in two other stacks: first you create the roles and then you create the CodeBuild, it works. I don't understand why the CLI command works instantly though.

Felipe Desiderati
  • 2,414
  • 3
  • 24
  • 42
1

try adding sts:AssumeRole to the list of Actions.

https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_roles.html

Cheers

david24365
  • 143
  • 1
  • 1
  • 6
0

I had a similar issue with EKS for some reason code build role could not assume role. I solved it by creating a user with sufficient access and by setting:

AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY

env vars as default env vars from environment section in cloud build:

https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html

Parth Mehta
  • 1,869
  • 5
  • 15
0

I bet you specified RoleArn on your Source action of the CodePipeline. Try to remove it.

   CodePipelinePipeline:
      Type: AWS::CodePipeline::Pipeline
      Properties:
      ...
      Stages: 
        - Name: "Source"
          Actions: 
          - Name: "Source"
            #RoleArn: !GetAtt CodePipelineRole.Arn

The last line was the reason for the very same error in my case.

andrew
  • 1