Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Question] CodeStarWorker-test-CloudFormation/AWSCloudFormation is not authorized to perform: iam:CreateRole on resource: #448

Closed
Jun711 opened this issue May 25, 2018 · 3 comments
Closed

[Question] CodeStarWorker-test-CloudFormation/AWSCloudFormation is not authorized to perform: iam:CreateRole on resource: #448

Jun711 opened this issue May 25, 2018 · 3 comments

Comments

@Jun711
Copy link

Jun711 commented May 25, 2018
edited

Description:
One of my 'AWS::Serverless::Function' has a policies property like following (without a role property)

Type: 'AWS::Serverless::Function'
    Properties:
      Handler: helloWorld.handler
      Runtime: python3.6
      MemorySize: 128
      Description: 'helloWorld'
      FunctionName: helloWorld
      Policies:
        - Statement:
            - Effect: "Allow"
              Action: 
                - "polly:SynthesizeSpeech"
              Resource:
                - "Fn::Sub": "arn:aws:polly:${AWS::Region}:${AWS::AccountId}:lexicon/*"

Observed result:
CodePipeline ExecuteChangeSet failed with this error:
API: iam:CreateRole User: arn:aws:sts::AccountId:assumed-role/CodeStarWorker-test-CloudFormation/AWSCloudFormation is not authorized to perform: iam:CreateRole on resource: arn:aws:iam::AccountId:role/awscodestar-test-lambda-helloWorldRole-V5QUHYDCDRBA

So, I went on to add iam:CreateRole policy to the AWSCloudFormation role and I retried.
In IAM Policy Simulator, that AWSCloudFormation role was able to perform IAM CreateRole action.
However, I got the same error.

Expected result:
Expected a new role to be created with the Polly policy.
@Jun711
Copy link
Author

Jun711 commented May 25, 2018
edited

I found out that I had to add a list of iam policies to my CodeStar CloudFormation role to enable the creation of role by CloudFormation using SAM function policies property in the yaml template.

@Jun711 Jun711 closed this as completed May 25, 2018
@Trav-Uncommitted
Copy link

Hi @Jun711
I'm having this same issue and I'm not sure how you resolved it. Can you provide some more details?

Is there something I need to add to the CodeDeployRole?

CodeDeployRole:
Type: String
Description: IAM role to allow AWS CodeDeploy to manage deployment of AWS Lambda functions

@Jun711
Copy link
Author

Jun711 commented Aug 2, 2019

@Trav-Uncommitted
sorry for late reply. I didn't have to add anything to CodeDeployRole. I just added some iam policies to the CloudFormation role to allow it to create roles. You can check out this article for more information.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Jun711 @Trav-Uncommitted