AWS Cloudformation Role is not authorized to perform AssumeRole on Role

Question

I am trying to execute a cloudformation stack which contains the following resources:

• Codebuild project
• Codepipeline pipeline
• Roles needed

While trying to execute the stack, it fails with the following error:

arn:aws:iam::ACCOUNT_ID:role/CodePipelineRole is not authorized to perform AssumeRole on role arn:aws:iam::ACCOUNT_ID:role/CodePipelineRole (Service: AWSCodePipeline; Status Code: 400; Error Code: InvalidStructureException; Request ID: 7de2b1c6-a432-47e6-8208-2c0072ebaf4b)

I created the role using a managed policy, but I have already tried with a normal policy and it does not work neither.

This is the Role Policy:

CodePipelinePolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
  Description: 'This policy grants permissions to a service role to enable Codepipeline to use multiple AWS Resources on the users behalf'
  Path: "/"
  PolicyDocument:
    Version: "2012-10-17"
    Statement:
      - Resource: "*"
        Effect: "Allow"
        Condition: {}
        Action:
          - autoscaling:*
          - cloudwatch:*
          - cloudtrail:*
          - cloudformation:*
          - codebuild:*
          - codecommit:*
          - codedeploy:*
          - codepipeline:*
          - ec2:*
          - ecs:*
          - ecr:*
          - elasticbeanstalk:*
          - elasticloadbalancing:*
          - iam:*
          - lambda:*
          - logs:*
          - rds:*
          - s3:*
          - sns:*
          - ssm:*
          - sqs:*
          - kms:*

This is the Role

CodePipelineRole:
Type: "AWS::IAM::Role"
Properties:
  RoleName: !Sub ${EnvironmentName}-CodePipelineRole
  AssumeRolePolicyDocument:
    Version: '2012-10-17'
    Statement:
      - Action:
        - 'sts:AssumeRole'
        Effect: Allow
        Principal:
          Service:
          - codepipeline.amazonaws.com
  Path: /
  ManagedPolicyArns:
    - !Ref CodePipelinePolicy

What intrigues me the most is that it seems like CodePipelineRole is trying to AssumeRole to itself. I'm not understanding what can be happening here.

And when I set the policy's action to *, it works! I don't know what permissions could be missing.

Thanks

Answer 1

I bet you specified RoleArn on your Source action of the CodePipeline. Try to remove it.

   CodePipelinePipeline:
      Type: AWS::CodePipeline::Pipeline
      Properties:
      ...
      Stages: 
        - Name: "Source"
          Actions: 
          - Name: "Source"
            #RoleArn: !GetAtt CodePipelineRole.Arn

The last line was the reason for the very same error in my case.

Answer 2

It seems like, behind the scenes, AWS services keep some kind of role cache. If you try to make a role, attach a policy and create a new CodeBuild project sequentially, CodeBuild will give an unauthorized error because it can't find the role. It's similar to getting a forbidden access error on a non-existing bucket (instead of a 404). If you separate the stack in two other stacks: first you create the roles and then you create the CodeBuild, it works. I don't understand why the CLI command works instantly though.

Answer 3

It is to do with the trust relationship for the role you have created i.e. CodePipelineRole

1. Go to the Role in IAM

2. Select the Trust Relationships tab ...

3. Then Edit Trust Relationship to include codepipeline

     "Version": "2012-10-17",
     "Statement": [
       {
         "Effect": "Allow",
         "Principal": {
           "Service": [
             "codepipeline.amazonaws.com"
           ]
         },
         "Action": "sts:AssumeRole"
       }
     ]
   }```
   

Answer 4

I had a similar issue with EKS for some reason code build role could not assume role. I solved it by creating a user with sufficient access and by setting:

AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY

env vars as default env vars from environment section in cloud build:

https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html

Answer 5

try adding sts:AssumeRole to the list of Actions.

https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_roles.html

Cheers