How to troubleshoot “Policy <ARN> does not exist or is not attachable”, when creating an AWS IAM Role using CloudFormation?

Description:

This error usually occurs when creating an AWS::IAM::Role resource with ManagedPolicyArns property, where you provide the list of Amazon Resource Names (ARNs) of the IAM managed policies, that you want to attach to the role and the Policy either does not exist or is not attachable to the IAM role being created. This indicates an issue with the policy ARN value itself or its compatibility with the IAM role resource.

Resolution:

This error can occur in couple scenarios, one is when the Policy does not exist and the other is when the Policy ARN provided is not attachable. Please find the troubleshooting steps for each scenario below.

Scenario 1: Policy ARN does not exist

To fix this issue please follow the steps below:

1. Open CloudFormation console.
2. From the stacks, identify the stack that is having an issue while creating the IAM role
3. From the Events tab, make a note of the IAM policy ARN mentioned in the error message
4. Go to the AWS IAM console
5. In the navigation pane, choose Policies
6. Search for the IAM policy using the policy name. The policy name is the last part of the ARN you noted earlier
7. If the policy exists, then ensure that the policy ARN you have specified in the template matches the one from the console.
8. If the policy does not exist, then proceed with create a new customer-managed IAM policy.
9. Modify the CloudFormation template and replace the IAM policy ARN with the newly created one in ManagedPolicyArns property.
10. Return to the CloudFormation console and create/update the CloudFormation stack with the modified template.

Scenario 2: Policy is not attachable

To fix this issue please follow steps 1 through 6 mentioned in Scenario 1, then check if the policy exists and if it is a service role policy (i.e the ARN is in the format: arn:aws:iam::aws:policy/aws-service-role/*)

The service role policy (AWS Reserved policy) is used by service-linked roles only, which are linked to specific AWS services. These policies cannot be attached to standard IAM Roles. For more information regarding this please refer the IAM Documentation.

If you wish to add the same permissions as the service role policy to your IAM role, you can copy the same permissions from the service role policy, create another customer-managed IAM policy, and then use this new policy ARN under the ManagedPolicyArns property in the AWS::IAM::Role resource and create/update the CloudFormation stack.

In both the scenarios the key is to ensure the policy is valid and is compatible with the AWS IAM Role.

Co-Author: Karthik Nujella