Complete a 3 Question Survey and Earn a re:Post Badge

Help improve AWS Support Official channel in re:Post and share your experience - complete a quick three-question survey to earn a re:Post badge!

How to resolve the error “Access denied for operation 'DeleteAlias'.”

2 minute read

Content level: Intermediate

Cloudformation stack failed to Delete the “AWS::KMS::Alias” resource with the following error:

Resource handler returned message: “Access Denied for operation ‘DeleteAlias’. (RequestToken: {{ Request_Token}}, HandlerErrorCode: Access Denied).

Description

Cloudformation stack failed to Delete the “AWS::KMS::Alias” resource with the following error:

Resource handler returned message: “Access Denied for operation ‘DeleteAlias’. (RequestToken: {{ Request_Token}}, HandlerErrorCode: Access Denied).

During a DeleteStack operation on a CloudFormation stack, this error occurs when the IAM Role used to delete the stack lacks the required permissions to delete the KMS alias [1].

Resolution

To resolve the issue, it's essential to identify the IAM roles being used for stack operations. Here are three reliable methods to find the IAM role:
- Using Cloudformation console:
  - Navigate to the AWS CloudFormation console.
  - Select your desired stack/ Delete failed stack.
  - Access the "Stack info" tab.
  - Locate the "IAM Role" field, which displays the role used for stack operations.
- AWS CLI method:
  - Use the following command in your terminal “aws cloudformation describe-stacks —stack-name <your-stack-name>”.
  - In the command output, look for the "RoleARN" parameter. This will show you the exact role being used.
- CloudTrail Investigation:
  - Access the CloudTrail console.
  - From the lookup attributes drop down menu select ‘Event name’ and enter ‘DeleteAlias’.
  - Make sure you select the event that correspond to your failed event Timestamp from the Cloudforamtion console.
  - Review the event details to find the IAM role information.
- NOTE: If the stacks were created using AWS CloudFormation service IAM roles, you can follow the steps using either the AWS Management Console, AWS CLI, or AWS CloudTrail methods. If the stacks were not created using CloudFormation service IAM roles, you should only use the AWS CloudTrail method.
After identifying the IAM Role, open the role in the IAM Console.
Expand the ‘Permissions policies’ section and open the associated ‘Policy’.
In the Policy add ‘kms:DeleteAlias’ permission in the actions section of the Policy.
After adding the necessary function you can retry Deleting the Cloudformation stack that failed to delete.