API Gateway does not have permission to assume the provided role

There was an issue in API Gateway that caused this error to surface. We've patched the issue, and we apologize for the inconvenience.

Hi Randy,

Thanks for trying. I finally got that sorted. Posting it so that it may help others.
All I had to do was to create the service role using AWS-CLI.

 Amals-MacBook-Pro:.aws work$ aws iam create-service-linked-role --aws-service-name ops.apigateway.amazonaws.com --description "My service-linked role to attach ssl certificates in api gateway"

After the service role was created, I was able to attach the certificate from AWS Console without any errors.

UPDATE : Just saw the reply from AWS. Seems they have patched the issue. So nothing might be needed to make this work.
best regards,
Amal

Edited by: AmalAntony on Sep 4, 2019 6:06 PM

Hi,
Not sure if this will help, but does the user that you are currently logged in as, have the following CreateServiceLinkedRole policy?

        {
            "Sid": "ServiceLinkedRole",
            "Effect": "Allow",
            "Action": "iam:CreateServiceLinkedRole",
            "Resource": "arn:aws:iam::<account id number>:role/aws-service-role/ops.apigateway.amazonaws.com/AWSServiceRoleForAPIGateway
        }

-randy

Hi Randy,

Thanks for the reply. The account I am logging in with has Administrator Access. The issue is not fixed yet.

Thanks and regards,
Amal

Edited by: AmalAntony on Sep 3, 2019 10:45 PM

Hi,
I am trying to reproduce your issue, I set up a custom domain for a Regional REST API in my environment and I was NOT able to reproduce your problem. The AWSServiceRoleForAPIGateway was properly created and the ACM Certificate was attached without errors.
My ACM Certificate was generated in us-east-1 and I created the Custom Domain Name in us-east-1 (not sure if that makes any difference).

My final screen looks like the following:

example.com
Uploaded on 9/3/2019

Regional
Status
AVAILABLE
Security Policy
TLS 1.2
Target Domain Name
d-55ssdnlp4zj.execute-api.us-east-1.amazonaws.com
Hosted Zone ID
Z1UJRXOUMOOFQ8
ACM Certificate
example.com (7589272b)

My logged in user also has the AWS provided AdministratorAccess Policy.

If you can think of anything different from your setup that you would like me to try on my side to see if I can reproduce, let me know.

-randy