How do I resolve the tagging permission error in my CloudFormation stack?

Short description

If you try to create or update a resource when you don't have the required tagging permissions, then the following error message appears:

"Encountered a permissions error applying tags, please add required tag permissions. Retrying request without including tags. Details: Resource handler returned message: User: arn:aws:sts::123456789:example-assumed-role is not authorized to perform: < eg API: :iam:TagRole> on resource: arn:aws:iam::123456789:role/abc with an explicit deny in an identity-based policy."

This error message is caused by insufficient permissions in the policies that are attached to your AWS Identity and Access Management (IAM) role. To resolve this error, you must add the missing permission that's shown in the error message to the assumed role.

Resolution

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you're using the most recent AWS CLI version.

View the role and API that failed

For Amazon Elastic Compute Cloud (Amazon EC2) resources, you must first decode the encoded authorization failure message. Run the decode-authorization-message AWS CLI command to identify the role and the API that failed.

Note: Replace example-encoded-message with your encoded message and example-region with your AWS Region.

aws sts decode-authorization-message --encoded-message <example-encoded-message> --example-region

For other resources that aren't related to Amazon EC2, check the stack event page to view the role and the API that failed.

Use the IAM console to resolve the tagging permission error

Create a new inline policy

Complete the following steps:

1. Open the IAM console.
2. In the navigation pane, choose Users or Roles.
3. In the list, choose the name of the user or role that you want to embed the new policy into.
4. Choose the Permissions tab.
5. Choose Add permissions and then choose Create inline policy.
6. Choose either the Visual or JSON option to create the policy:

• For more information on the Visual option, see Creating policies with the visual editor.
• For more information on the JSON option, see Creating policies using the JSON editor.

Note: Make sure that you add the required permission. When you create the new inline policy, the required permission is automatically embedded in your user or role.

Edit an existing policy

To resolve the tagging permission error, edit an existing policy.

Use the AWS CLI to resolve the tagging permission error

1.    Run the put-role-policy AWS CLI command to add the required permissions policy to your role:

aws iam put-role-policy ---role-name example-role-name --policy-name example-policy --policy-document file**:**//AdminPolicy.jso

Note: The policy is defined as a JSON document in the AdminPolicy.json file. The file name and extension aren't important.

2.    Deploy your CloudFormation stack again.