Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Codepipeline: "root is not authorized to perform: iam:PassRole"

0

Hello,

I'm trying to make codepipeline by cloudformation.

But this error had occurred.

User: arn:aws:iam::<user id>:root is not authorized to perform: iam:PassRole on resource: CloudFormationRole

Here is my code.

#CloudFormation
CloudFormationRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service: cloudformation.amazonaws.com 
            Action: sts:AssumeRole
          - Effect: Allow
            Principal:
              AWS: !Sub arn:aws:iam::${AWS::AccountId}:root 
            Action:
              - sts:AssumeRole
          - Effect: Allow
            Principal:
              Service: codepipeline.amazonaws.com
            Action: sts:AssumeRole

  CloudFormationServicePolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: 
        !Sub CloudFormationPolicy-${AWS::AccountId}
      
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Sid: CloudWatchLogsPolicy
            Effect: Allow
            Action: 
              - logs:CreateLogGroup
              - logs:CreateLogStream
              - logs:PutLogEvents
            Resource: "*"

          - Sid: S3ObjectPolicy
            Effect: Allow
            Action:
              - s3:PutObject
              - s3:GetObject
              - s3:GetObjectVersion
            Resource: "*"

          - Sid: ECRPowerUserPolicy
            Effect: Allow
            Action: 
              - ecr:GetAuthorizationToken
              - ecr:BatchCheckLayerAvailability
              - ecr:GetDownloadUrlForLayer
              - ecr:GetRepositoryPolicy
              - ecr:DescribeRepositories
              - ecr:ListImages
              - ecr:DescribeImages
              - ecr:BatchGetImage
              - ecr:InitiateLayerUpload
              - ecr:UploadLayerPart
              - ecr:CompleteLayerUpload
              - ecr:PutImage
            Resource: "*"
            
      Roles:
        - !Ref CloudFormationRole

#CodePipeline
CodePipeline:
    Type: AWS::CodePipeline::Pipeline
    Properties:
      ArtifactStore:
        EncryptionKey:
          Id: !GetAtt KMSPrivateKey.Arn
          Type: KMS
        Location: !Ref CodeCommitS3Bucket
        Type: S3
      RoleArn: !GetAtt CodePipelineServiceRole.Arn
      Stages:
      - Actions:
        - ActionTypeId:
            Category: Source
            Owner: AWS
            Provider: CodeCommit
            Version: 1
          Configuration:
            PollForSourceChanges: false
            RepositoryName: !Ref RepositoryName
            BranchName: master
          Name: source
          OutputArtifacts:
          - Name: CodecommitArtifact
          RoleArn: !GetAtt CodeCommitRole.Arn
        Name: source
      - Actions:
        - ActionTypeId:
            Category: Build
            Owner: AWS
            Provider: CodeBuild
            Version: 1
          Configuration:
            ProjectName: !Ref CodeBuild
          InputArtifacts:
          - Name: CodecommitArtifact
          OutputArtifacts:
          - Name: CodebuildArtifact
          Name: build
        Name: build
      - Actions:
        - ActionTypeId:
            Category: Deploy
            Owner: AWS
            Provider: CloudFormation
            Version: 1
          Configuration:
            ActionMode: CHANGE_SET_REPLACE
            RoleArn: !Ref CloudFormationRole
            StackName: !Ref RepositoryName
          InputArtifacts:
            - Name: CodebuildArtifact
          Name: GenerateChangeSet
        Name: ChangeSetReplace
      - Actions:
        - ActionTypeId:
            Category: Deploy
            Owner: AWS
            Provider: CloudFormation
            Version: 1
          Configuration:
            ActionMode: CHANGE_SET_EXECUTE
            RoleArn: !Ref CloudFormationRole
            StackName: !Ref RepositoryName
          Name: ExecuteChangeSet
        Name: Deploy
  
  CodePipelineServiceRole:
    Type: AWS::IAM::Role
    Properties:
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/AWSCodeCommitFullAccess
        - arn:aws:iam::aws:policy/AWSLambdaFullAccess
        - arn:aws:iam::aws:policy/AWSCodeDeployFullAccess
        - arn:aws:iam::aws:policy/AWSElasticBeanstalkFullAccess
        - arn:aws:iam::aws:policy/AWSCodePipelineFullAccess
        - arn:aws:iam::aws:policy/AWSCodeBuildAdminAccess 
        - arn:aws:iam::aws:policy/CloudWatchEventsFullAccess 
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
           
          - Effect: Allow
            Principal:
              Service: codepipeline.amazonaws.com
              
            Action: sts:AssumeRole
          - Effect: Allow
            Principal:
              AWS: !GetAtt CodeCommitRole.Arn
            Action: sts:AssumeRole
          - Effect: Allow
            Principal:
              AWS: !GetAtt CloudFormationRole.Arn
            Action: sts:AssumeRole

  CodePipelinePolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: 
        !Sub CodePipelineServicePolicy-${AWS::AccountId}
      Roles: 
        - !Ref CodePipelineServiceRole
      PolicyDocument:
        Version: "2012-10-17"
        Statement: 
          - Effect: Allow
            Action: sts:AssumeRole
            Resource: !Sub arn:aws:iam::${DevelopAccountID}:role/*
          - Sid: "S3Policy"
            Action: 
              - s3:PutObject
              - s3:GetObject
              - s3:GetObjectVersion
              - s3:GetBucketVersioning
            Resource: "*"
            Effect: Allow
            
          - Sid: CodeBuildPolicy
            Action:
              - codebuild:BatchGetBuilds
              - codebuild:StartBuild
            Resource: "*"
            Effect: Allow


          - Sid: ECSPolicy
            Action: 
              - ecs:DescribeServices
              - ecs:DescribeTaskDefinition
              - ecs:DescribeTasks
              - ecs:ListTasks
              - ecs:RegisterTaskDefinition
              - ecs:UpdateService
              - iam:PassRole
            Resource: "*"
            Effect: Allow
          - 
            Effect: Allow
            Action: kms:*
            Resource: "*"

How can I solve this problem?

I really appreciate any help.

Thanks in advance.

Themen
Management & Unternehmensführung
Tags
AWS CloudFormation
Sprache
English
tetsuro
gefragt vor 5 Jahren1333 Aufrufe
4 Antworten
0
Akzeptierte Antwort

Hi,
I was able to reproduce the "not authorized to perform iam:PassRole" error.
To fix that error, I had to change:

           ActionMode: CHANGE_SET_REPLACE
            RoleArn: !Ref CloudFormationRole

To:

           ActionMode: CHANGE_SET_REPLACE
            RoleArn: !GetAtt CloudFormationRole.Arn

And also change:

            ActionMode: CHANGE_SET_EXECUTE
            RoleArn: !Ref CloudFormationRole

To:

            ActionMode: CHANGE_SET_EXECUTE
            RoleArn: !GetAtt CloudFormationRole.Arn

That should hopefully unblock you on the "not authorized" error message.

Hope this helps,
-randy

Edited by: RandyTakeshita on Sep 4, 2019 7:11 AM - removed last comment block..

RandyTakeshita
beantwortet vor 5 Jahren
0

Hi,
Have you verified that the actual user that is launching the CloudFormation stack has the iam:PassRole permission?
-randy

Edited by: RandyTakeshita on Sep 3, 2019 12:04 AM

RandyTakeshita
beantwortet vor 5 Jahren
0

Hello, Randy

Thank you for your reply

I'm operating on root user. So user has iam:PassRole permission.

tetsuro
beantwortet vor 5 Jahren
0

I reproduced error.
Thank you so much for your advice.

tetsuro
beantwortet vor 5 Jahren

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt