How do I troubleshoot missing permission errors in CloudFormation?

Short description

When you launch a stack, CloudFormation assumes the credentials of the user who launched the stack to make the API calls. If a service role is defined for the stack, then CloudFormation assumes this role. The assumed user or service role might have a limited list of allowed actions that CloudFormation can perform. The operation fails when the role doesn't have the permissions to create, delete, or update a resource. The failure generates the following type of error message:

User: [IAM Role] is not authorized to perform: ec2:RunInstances on resource: [Resource Id] because no identity-based policy allows the ec2:RunInstances action

Resolution

The following sections present ways to troubleshoot identity-based and resource-based policy errors.

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

Identity-based policy error

Identify the calling role

CloudFormation allows you to specify a service role to make calls to resources in a stack on your behalf. If a service role isn't specified, then CloudFormation calls using the AWS Identity and Access Management (IAM) credentials of the user who initiated the stack operation.

Find the service role in the AWS CloudFormation console.

1. Open the AWS CloudFormation console.
2. Select your stack under the Stacks page. This opens the Overview section of the page.
3. Check the value under IAM Role. The value that you see is the service role configured for this stack.

If there isn't any value, then the service role isn't configured. Instead, all stack operations were done using the credentials of the role that initiated the stack operations.

To find the service role, use the describe-stacks AWS CLI command and find the value for RoleARN. If this field's empty, then the service role isn't defined. CloudFormation uses the role used to launch the stack.

Add the missing permission

Find the exact missing permission in the error message returned by CloudFormation. Or, search for the permission error on AWS CloudTrail to see what API action was denied. As a best practice, search for events that occurred at the same time that the error was generated. Then, follow these steps to resolve the error:

1. Add the missing permission to the IAM policy that's associated with the role. Or, pivot to using a service role that has the necessary permissions.
2. Add the action to a policy attached to the IAM role. Or, create a new policy.

Note: Use the IAM policy simulator on the role to confirm that it has the permissions to launch the resources defined in the template.

Resource-based policy error

Sometimes, the role has the identity-based permissions but the resource that's accessed doesn't allow the role to modify it in its resource-based policy. Resources such as AWS Key Management Service (AWS KMS) keys and Amazon Simple Storage (Amazon S3) buckets use resource-based policies. The resulting error might look like this:

User: [IAM Role] is not authorized to perform: ec2:RunInstances on resource: [Resource Id] because no resource-based policy allows the ec2:RunInstances action

Follow these steps to resolve the error:

Identify the calling role

1. Open the AWS CloudFormation console.
2. Select your stack under the Stacks page
3. Check the value under IAM Role in the Overview section of the page. The value for the IAM role is the service role configured for this stack.

If there isn't any value, then the service role isn't configured. Instead, all stack operations were done using the credentials of the entity that initiated the stack operations.

To find the service role, use the describe-stacks AWS CLI command and find the value for RoleARN. If this field's empty, then a service role isn't defined. CloudFormation uses the role used to launch the stack.

Update the resource-based policy

1. Review the error to retrieve the Amazon Resource Name (ARN) of the resource that you can't access. If the error doesn't show the resource's ARN, then search the associated CloudTrail event log to see the resources that were passed with the request.
2. Use the authorization error to determine the permission needed to modify the resource.
3. Review the resource policy and add the calling role to the policy. Or, add the necessary statement to allow the IAM role to perform the action on the resource.

For example, you might receive the following error when you run the Decrypt KMS API :

"User: arn:aws:sts::12345678910:assumed-role/AWSServiceRoleForConfig/LambdaDescribeHandlerSession is not authorized to perform: kms:Decrypt on resource: arn:aws:kms:eu-west-1:12345678910:key/********-****-****-****-************ because no resource-based policy allows the kms:Decrypt action"

The error message indicates that the AWS KMS key's policy doesn't permit the IAM role AWSServiceRoleForConfig to access the kms:Decrypt action. Update the KMS policy to grant the IAM role access to this action.

Related information

Controlling access with AWS Identity and Access Management