Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

IAM Role ARN Validation Error When Adding Amazon Connect Event Destination for WhatsApp Messaging

0

I am attempting to configure a WhatsApp Business phone number in AWS End User Messaging (Social messaging) and integrate it with Amazon Connect for event destinations.

When I try to add Amazon Connect as an event destination and provide an IAM role ARN, I encounter the following validation error:

1 validation error detected: Value 'arn:aws:iam::099437942532:role/aws-service-role/connect.amazonaws.com/AWSServiceRoleForAmazonConnect_Whatsapp_Messaging' at 'setupFinalization.waba.eventDestinations.1.member.roleArn' failed to satisfy constraint: Member must satisfy regular expression pattern: arn:aws:iam::\d{12}:role\/[a-zA-Z0-9+=,.@\-_]+ RequestId: 1f6997a7-872b-4284-a7ff-6bf0c92bd59c HttpStatusCode: 400

Context

I am in the AWS End User Messaging service, navigating to Social messaging -> WhatsApp: Business accounts -> Add WhatsApp phone number. The ARN I'm trying to use arn:aws:iam::099437942532:role/aws-service-role/connect.amazonaws.com/AWSServiceRoleForAmazonConnect_Whatsapp_Messaging

My Understanding/Attempted Fix:

My initial understanding was that the AWSServiceRoleForAmazonConnect_Whatsapp_Messaging (my created service-linked role), along with its associated AmazonConnectServiceLinkedRolePolicy would be sufficient for setting up the event destination. However, the validation error suggests that the provided ARN does not match the expected regular expression pattern for a standard IAM role, leading me to believe that the service might expect a custom IAM role for this configuration.

My Question:

  • Is my understanding correct that I need to create a custom IAM role instead of using a service-linked role for the "Two-way channel role" or "Event Destination" when integrating WhatsApp Business with Amazon Connect in AWS End User Messaging?
  • If so, what are the minimum required IAM permissions (actions and resources) that this custom role needs to have for Amazon Connect to successfully act as an event destination for WhatsApp messaging?
  • Are there any specific trust policy configurations required for this custom role to allow Amazon Connect to assume it?

Any guidance or example IAM policies would be greatly appreciated.

Topics
Application IntegrationFront-End Web & MobileBusiness ApplicationsMachine Learning & AISecurity, Identity, & Compliance
Tags
Amazon ConnectAWS End User MessagingIAM Policies
Language
English
asked a year ago252 views
1 Answer
0
Accepted Answer

Based on the validation error you're encountering, you're correct that you need to create a custom IAM role rather than using a service-linked role for the WhatsApp Business integration with Amazon Connect.

The error message indicates that the ARN format you're using doesn't match the expected pattern. The pattern requires a standard IAM role ARN format: arn:aws:iam::\d{12}:role/[a-zA-Z0-9+=,.@\-_]+. Your current ARN includes additional path segments (aws-service-role/connect.amazonaws.com/) which don't match this pattern.

To resolve this issue:

  1. Create a custom IAM role with a direct path (without the service-role path segments)
  2. For the trust policy, you'll need to allow the SMS and voice service to assume the role:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SMSVoice",
"Effect": "Allow",
"Principal": {
"Service": "sms-voice.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "YOUR_ACCOUNT_ID"
}
}
}
]
}

For the permissions policy, you'll need to grant permissions for the role to import phone numbers and write events. The exact permissions will depend on your specific use case, but at minimum, you'll need permissions to handle the WhatsApp message events and integrate with Amazon Connect.

When creating this role, make sure:

  1. The role name follows the pattern of allowed characters: alphanumeric characters and these special characters: +=,.@-_
  2. The role is created directly under your account (not in a service-role path)
  3. The appropriate trust relationship is established to allow the necessary AWS services to assume the role
    Sources
    Validation error when trying to enable TwoWay Message with Amazon Connect in Pinpoint | AWS re:Post
    WhatsAppBusinessAccountEventDestination - AWS End User Messaging Social
    IAM policy validation check reference - AWS Identity and Access Management
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content