Ao usar o AWS re:Post, você concorda com os AWS re:Post Termos de uso
AWS re:Postre:Post

API Gateway does not have permission to assume the provided role

0

Hi All,

I am trying to add a custom domain name to my API gateway and attach an ACM certificate. Not able to save as it throws the following error - "API Gateway does not have permission to assume the provided role arn:aws:iam::XXXXXXXXXXXX:role/aws-service-role/ops.apigateway.amazonaws.com/AWSServiceRoleForAPIGateway". On reading the documentation, I understand, the role AWSServiceRoleForAPIGateway will be automatically created by API gateway when ACM certificate is attached. But I am not able to see that role in IAM. Please help me resolve this issue.
best regards,
Amal

Tópicos
Sem servidorWeb e dispositivos móveis front-endRede e entrega de conteúdo
Tags
Gateway do Amazon API
Idioma
English
AmalAntony
feita há 5 anos2165 visualizações
5 Respostas
1

There was an issue in API Gateway that caused this error to surface. We've patched the issue, and we apologize for the inconvenience.

AWS-User-8608052
respondido há 5 anos
1

Hi Randy,

Thanks for trying. I finally got that sorted. Posting it so that it may help others.
All I had to do was to create the service role using AWS-CLI.

 Amals-MacBook-Pro:.aws work$ aws iam create-service-linked-role --aws-service-name ops.apigateway.amazonaws.com --description "My service-linked role to attach ssl certificates in api gateway"

After the service role was created, I was able to attach the certificate from AWS Console without any errors.

UPDATE : Just saw the reply from AWS. Seems they have patched the issue. So nothing might be needed to make this work.
best regards,
Amal

Edited by: AmalAntony on Sep 4, 2019 6:06 PM

AmalAntony
respondido há 5 anos
0

Hi,
Not sure if this will help, but does the user that you are currently logged in as, have the following CreateServiceLinkedRole policy?

        {
            "Sid": "ServiceLinkedRole",
            "Effect": "Allow",
            "Action": "iam:CreateServiceLinkedRole",
            "Resource": "arn:aws:iam::<account id number>:role/aws-service-role/ops.apigateway.amazonaws.com/AWSServiceRoleForAPIGateway
        }

-randy

RandyTakeshita
respondido há 5 anos
0

Hi Randy,

Thanks for the reply. The account I am logging in with has Administrator Access. The issue is not fixed yet.

Thanks and regards,
Amal

Edited by: AmalAntony on Sep 3, 2019 10:45 PM

AmalAntony
respondido há 5 anos
0

Hi,
I am trying to reproduce your issue, I set up a custom domain for a Regional REST API in my environment and I was NOT able to reproduce your problem. The AWSServiceRoleForAPIGateway was properly created and the ACM Certificate was attached without errors.
My ACM Certificate was generated in us-east-1 and I created the Custom Domain Name in us-east-1 (not sure if that makes any difference).

My final screen looks like the following:

example.com
Uploaded on 9/3/2019

Regional
Status
AVAILABLE
Security Policy
TLS 1.2
Target Domain Name
d-55ssdnlp4zj.execute-api.us-east-1.amazonaws.com
Hosted Zone ID
Z1UJRXOUMOOFQ8
ACM Certificate
example.com (7589272b)

My logged in user also has the AWS provided AdministratorAccess Policy.

If you can think of anything different from your setup that you would like me to try on my side to see if I can reproduce, let me know.

-randy

RandyTakeshita
respondido há 5 anos

Você não está conectado. Fazer login para postar uma resposta.

Uma boa resposta responde claramente à pergunta, dá feedback construtivo e incentiva o crescimento profissional de quem perguntou.

Diretrizes para responder a perguntas

Conteúdo relevante