CODEWITHSUNDEEP
amazon-web-servicesaws-cloudformationamazon-iam
CJ Chang
CJ Chang

Reputation: 394

How to create indetity-based policy policy allows the iam:CreateRole action

I have a cloudformation template that works with AWS CLI but failed in CodePipeline due to the following error:

API: iam:CreateRole User: arn:aws:sts::xxxxxxxxxx:assumed-role/xxxxxxx-role/AWSCloudFormation is not authorized to perform: iam:CreateRole on resource: arn:aws:iam::xxxxxxxxxx:role/xxxxxxxxxInstanceRole-xxxxxxx because no identity-based policy allows the iam:CreateRole action

Can anyone show me how to create identity-based policy allows the iam:CreateRole action?

Thanks in advance!

Upvotes: 2

Views: 4894

Answers (3)

TeslaGeek2020
TeslaGeek2020

Reputation: 1

I had to deal with this issue when using Amazon Alexa Skill CLI using AWS Lambda although I was following the guidelines in https://developer.amazon.com/en-US/docs/alexa/smapi/manage-credentials-with-ask-cli.html#create-aws-credentials

Unfortunately it seems the guidelines above have forgotten to create policy and put it into IAM. In other words, "iam:CreatePolicy" and "iam:PutRolePolicy" are missing from the JSON policy.

If you are following developer.amazon.com ... to create aws credentials for ALEXA, you could revise your json as below:

{
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Allow",
        "Action": [
            "iam:CreateRole",
            "iam:GetRole",
            "iam:CreatePolicy",
            "iam:PutRolePolicy",
            "iam:AttachRolePolicy",
            "iam:PassRole",
            "lambda:AddPermission",
            "lambda:CreateFunction",
            "lambda:GetFunction",
            "lambda:UpdateFunctionCode",
            "lambda:UpdateFunctionConfiguration",
            "lambda:ListFunctions",
            "logs:FilterLogEvents",
            "logs:getLogEvents",
            "logs:describeLogStreams"
        ],
        "Resource": "*"
    }
} ```

Upvotes: 0

Serhii Kushchenko
Serhii Kushchenko

Reputation: 928

adding iam:CreateRole alone is not enough, you need to add also several other permissions to the user, something like this

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iam:AttachRolePolicy",
                "iam:CreateRole",
                "iam:CreatePolicy",
                "iam:PutRolePolicy"
            ],
            "Resource": "*"
        }
    ]
}

Note. I am not sure that all these policies are required to perform the action.

Upvotes: 1

Marcin
Marcin

Reputation: 238051

You can add an inline policy to your role/AWSCloudFormation:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "iam:CreateRole",
            "Resource": "*"
        }
    ]
}

Upvotes: 1

Related Questions