Reputation: 88319
Role cannot be assumed by events.amazonaws.com
I am attempting to put a cloudwatch event rule using code:
await cloudwatchevents.putRule({
Name: 'xxx-ec2-start',
EventPattern: '{"source":["aws.ec2"],"detail-type":["EC2 Instance State-change Notification"],"detail":{"state":["running"]}}',
State: 'ENABLED',
RoleArn: `arn:aws:iam::${account.Id}:role/skynet-cloudwatch-eventbus`,
}).promise()
However, I am getting:
(node:29939) UnhandledPromiseRejectionWarning: ValidationException: Provided role 'arn:aws:iam::00000000000:role/xxx-cloudwatch-eventbus' cannot be assumed by principal 'events.amazonaws.com'.
The role already has the assume policy doc to allow events.amazonaws.com. Why does it still fail?
Upvotes: 5
Views: 9094
Answers (2)
Reputation: 41
You've probably already found your answer by now, but you might be able to figure out what's wrong by looking for AssumeRole events in CloudTrail that have errors.
In my case, I set up the assume role policy correctly, but was receiving the same message you've specified. The CloudTrail AssumeRole event provided more meaningful details:
errorCode: RegionDisabledException errorMessage: STS is not activated in this region for account:xyz. Your account administrator can activate STS in this region using the IAM Console.
Enabling STS in this region resolved the issue in this case.
Upvotes: 3
Reputation: 1888
The reason you are getting this error is "events.amazonaws.com" is not listed as a Trusted Entity for role theRole.(in your case skynet-cloudwatch-eventbus)
One way to fix this is by going to https://console.aws.amazon.com/iam/home?region=us-east-1#roles/theRole (adapt this link to your region + real role name) > Trust Relationships tab > Edit Trust Relationships button > paste in "events.amazonaws.com" under services as in the example given below.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": [
"lambda.amazonaws.com",
"apigateway.amazonaws.com",
"events.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
Upvotes: 9
Related Questions
- Step Function with EventBridge task `"NotAuthorizedForSourceException"`
- Cloudwatch Event Rule not supporting IAM events
- AWS Lambda not authorised to perform action listed in permissions
- Cloudwatch Alarm Denied Access
- Listen for ECS failed to place task in Cloudwatch
- How to give a role to a role - "arn:aws:sts::913xxxxx71:assumed-role"
- How to assign IAM Role for ECS Task
- CloudWatch agent doesn't recognize presence of IAM Role
- Cloudwatch permissions to running instance with no IAM role
- CloudWatch log role ARN