- Newest
- Most votes
- Most comments
Thanks I have managed to fix it by myself. I had to give the iam:pass role to CodePipeline so that it can pass CFN role to the CFN service. The cloud trail message was a bit confusing.
Hello.
CT: "errorMessage": "User: arn:aws:iam::xxxxxxxxx:user/xxxxxxxx is not authorized to perform: iam:PassRole on resource: CodePipelinePolicy",
Judging from the content of the error message, it appears that the IAM user you are using does not have sufficient permissions to attach an IAM policy.
What IAM policy is set for the IAM user you are using?
Can you confirm if setting "AdministratorAccess" for the IAM user resolves the issue?
https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AdministratorAccess.html
Also, when deploying CloudFormation with CodePipeline, permissions to operate CloudFormation are required in CodePipeline's IAM policy.
https://docs.aws.amazon.com/codepipeline/latest/userguide/security-iam.html#how-to-custom-role
CodePipeLineRole:
Type: AWS::IAM::Role
Properties:
RoleName: CodePipelinePolicy
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
Service:
- "codepipeline.amazonaws.com"
Action:
- "sts:AssumeRole"
Path: "/"
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AWSCodeCommitReadOnly
Policies:
- PolicyName: CodePipelineAccess
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action:
- logs:Describe*
- logs:Create*
- logs:Put*
- codepipeline:*
Resource: "*"
- Effect: "Allow"
Action:
- cloudformation:CreateStack
- cloudformation:DeleteStack
- cloudformation:DescribeStacks
- cloudformation:UpdateStack
- cloudformation:CreateChangeSet
- cloudformation:DeleteChangeSet
- cloudformation:DescribeChangeSet
- cloudformation:ExecuteChangeSet
- cloudformation:SetStackPolicy
- cloudformation:ValidateTemplate
Resource: "*"
AWSTemplateFormatVersion: 2010-09-09 Description: CodePipeline sample Parameters: CodeCommitRepoName: Type: String CodePipelineName: Type: String
Resources: CodePipeLineRole: Type: AWS::IAM::Role Properties: RoleName: CodePipelinePolicy AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Principal: Service: - "codepipeline.amazonaws.com" Action: - "sts:AssumeRole" Path: "/" ManagedPolicyArns: - arn:aws:iam::aws:policy/AWSCodeCommitReadOnly Policies: - PolicyName: CodePipelineAccess PolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Action: #- codecommit:UploadArchive - logs:Describe* - logs:Create* - logs:Put* - codepipeline:* Resource: "*" # - PolicyName: PassRole # PolicyDocument: # Version: "2012-10-17"clear
# Statement:
# - Effect: "Allow"
# Action:
# - iam:PassRole
# Resource: "arn:aws:iam::216564071998:role/CodePipelinePolicy"
CodePipeline: Type: 'AWS::CodePipeline::Pipeline' Properties: ExecutionMode: SUPERSEDED Name: !Ref CodePipelineName PipelineType: V2 RoleArn: !GetAtt [CodePipeLineRole, Arn] Tags: - Key: DeploymentType Value: "CloudFormation" Stages: - Name: Source Actions: - Name: CheckoutSourceTemplate ActionTypeId: Category: Source Owner: AWS Version: 1 Provider: CodeCommit Configuration: PollForSourceChanges: False RepositoryName: !Ref CodeCommitRepoName BranchName: main OutputArtifacts: - Name: TemplateSource RunOrder: 1 - Name: Deploy Actions: - Name: CreateStack ActionTypeId: Category: Deploy Owner: AWS Provider: CloudFormation Version: 1 InputArtifacts: - Name: TemplateSource Configuration: ActionMode: CREATE_UPDATE RoleArn: !Ref CodePipeLineRole StackName: pipeline Capabilities: CAPABILITY_IAM TemplateConfiguration: TemplateSource::test-configuration.json TemplatePath: TemplateSource::template.yml RunOrder: 1
Relevant content
- Accepted Answerasked 6 months ago
- asked 4 months ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 6 months ago
thanks for your reply. I just tried with CFN permissions, still failing.
I have tried to deploy the CFN stack both from aws cli and CFN console, with IAM user with Full Admin access and even a root user. Error is still the same
If you check CloudTrail's event history, you may be able to find a more detailed reason. https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events-console.html