-1

I'm getting this error while modifying the stack change

API: iam:PutRolePolicy User: arn:aws:sts::769558805:assumed-role/AWS-QuickSetup-StackSet-Local-AdministrationRole/AWSCloudFormation is not authorized to perform: iam:PutRolePolicy on resource: role test-eu-west-1-lambdaRole because no identity-based policy allows the iam:PutRolePolicy action

Previously, I also updated the same using the Designer, however, everything went smoothly without any errors. The error only appeared this time. Does anyone know what may be the cause is?

Questions:

  • Where should I put this iam:PutRolePolicy policy? In JSON template or attach it to the AWS-QuickSetup-StackSet-Local-AdministrationRole/AWSCloudFormation in IAM > Policy?
Henry.
  • 21
  • 6
  • If you are doing via console, did you enable "I acknowledge that aws cloudformation might create IAM resources" checkbox? If doing using cli, add --capabilities CAPABILITY_IAM or --capabilities CAPABILITY_NAMED_IAM – omuthu Jul 25 '22 at 14:39
  • Hi, thankyou for your reply. I checked that already. – Henry. Jul 25 '22 at 14:40
  • In that case, in configure stack options, you might have missed adding an IAM role which has permissions to do IAM put role policy. If you missed that, it will use your (logged in user) permissions and in your case, you did not have permission to do IAM put role policy – omuthu Jul 25 '22 at 14:45
  • I missed several policies along the way. After adding those, it worked like a charm. However, the role it used to deploy the application worked without these new adjustments. Not sure why it prompted the errors this time. – Henry. Jul 25 '22 at 19:57

1 Answers1

0

Okay, so my stack has these events:

  • LogGroup
  • LambdaFunction
  • EventsRuleSchedule1
  • LambdaPermissionEventsRuleSchedule1

which require these rules in policy:

  • EventBridge
  • IAM
  • Lambda
  • S3
  • S3 Object Lambda

After several steps of creating change sets, receiving errors, and fixing them, I finally made it work. So the solution here was to check the error line by line, type by type, then adjust the policy accordingly.

However, this is still a bit time-consuming as I needed to test and run the stack every time I added a new policy. Not sure if there is a way to know all these "required" policies before executing stacks, if anyone knows any references, please comment below.

Henry.
  • 21
  • 6
  • Can you not see what role is use to trigger these Cloudformation updates? – Bao Thai Jul 25 '22 at 19:53
  • Yes, I can check the Status along the way and see the missing role/policy. But the problem was, that it only pointed out one error at a time. So I ended up running several steps of creating stacks just to fix all the errors. – Henry. Jul 25 '22 at 20:01