CloudFormation stack deployment failed on IAM role creation due to error - Resource handler returned message: "null"


I'm currently working on AWS Code Family Introduction workshop to familiarize myself with AWS' products. I'm at the part where I create a SAM project and using SAM CLI to create a serverless CodePipeline CI pipeline. All is well until I push my commit and trigger CodePipeline to execute the deployment of the project using CloudFormation. When CloudFormation gets to the point of provisioning the IAM role for Lambda functions for the sample API Gateway, I see the following error message:

Resource handler returned message: "null"

This then cascades into other failures such as "Resource creation cancelled" for "getByIdFunctionRole" and a few other roles followed by "The following resource(s) failed to create: [getAllItemsFunctionRole, putItemFunctionRole, getByIdFunctionRole]. Rollback requested by user."

It is evident that the initial error message is not very helpful. One thing I've considered is if the CodePipeline service role was missing IAM permission to create a role. However, when I checked, the IAM policy that was attached, the effect statement was set to allow on action and resource "*" . This leads me to believe it should have all the required access. I tried checking CloudTrail for hints on the failure, but I'm having a hard time trying to locate the user used for deployment. When I did find events that are related to CloudFormation such as CreateStack, I don't see any error messages in the logs.

I've been grinding away on this problem for 30 minutes and I'm out of ideas. What can I do to narrow down the problem further to identify the root cause? Thanks in advance.

gefragt vor einem Monat224 Aufrufe
1 Antwort


I believe that the creation of an IAM role is recorded in CloudTrail as an event called "CreateRole".
So, try searching for this event in CloudTrail's event history and see if an error has occurred.
By the way, please note that the "CreateRole" event cannot be found unless you look at CloudTrail in the us-east-1 region.

profile picture
beantwortet vor einem Monat
profile picture
überprüft vor einem Monat
profile pictureAWS
überprüft vor einem Monat
  • Agree with Riku: tracing via CloudTrail will allow you to see which API steps were taken by CloudTrail until the stack fails.

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen