By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

IoT DescribeRoleAlias denied from CloudFormation

0

What I'm trying to do:

When the stack gets created, it hits CREATE_FAILED on the AWS::IoT::RoleAlias:

Resource handler returned message: "Access denied for operation 'DescribeRoleAlias'." (RequestToken: *****, HandlerErrorCode: AccessDenied)

I see the role alias in the IoT Core console, and I see the successful CreateRoleAlias call in CloudTrail, but something around the permissions of DescribeRoleAlias appears to be lacking.

The policy in use by the GitHub Action:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": [
				"cloudformation:ListStacks",
				"cloudformation:CreateStack",
				"cloudformation:CreateChangeSet",
				"cloudformation:DescribeChangeSet",
				"cloudformation:ExecuteChangeSet",
				"cloudformation:DeleteChangeSet",
				"cloudformation:DescribeStacks"
			],
			"Resource": "*"
		},
		{
			"Effect": "Allow",
			"Action": [
				"iam:GetRole",
				"iam:DeleteRolePolicy",
				"iam:CreateRole",
				"iam:DeleteRole",
				"iam:PutRolePolicy",
				"iam:GetRolePolicy"
			],
			"Resource": "*"
		},
		{
			"Effect": "Allow",
			"Action": "iam:PassRole",
			"Resource": "*",
			"Condition": {
				"StringEquals": {
					"iam:PassedToService": "iot.amazonaws.com"
				}
			}
		},
		{
			"Effect": "Allow",
			"Action": [
				"iot:CreateRoleAlias",
				"iot:DeleteRoleAlias",
				"iot:DescribeRoleAlias",
				"iot:UpdateRoleAlias"
			],
			"Resource": "*"
		}
	]
}

The CloudFormation template:

AWSTemplateFormatVersion: "2010-09-09"

Resources:
  MyGreengrassV2TokenExchangeRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - credentials.iot.amazonaws.com
            Action:
              - sts:AssumeRole
  MyGreengrassV2TokenExchangeRoleAccess:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: MyGreengrassV2TokenExchangeRoleAccess
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Action:
              - logs:CreateLogGroup
              - logs:CreateLogStream
              - logs:PutLogEvents
              - logs:DescribeLogStreams
              - s3:GetBucketLocation
            Resource: "*"
      Roles:
        - !Ref MyGreengrassV2TokenExchangeRole
  MyGreengrassCoreTokenExchangeRoleAlias:
    Type: AWS::IoT::RoleAlias
    Properties:
      RoleArn: !GetAtt MyGreengrassV2TokenExchangeRole.Arn
      RoleAlias: MyGreengrassCoreTokenExchangeRoleAlias

Additional notes:

  • Is there some way for me to view more details about why DescribeRoleAlias is being denied?
  • I get the same exact failure when I remove iot:DescribeRoleAlias from the policy used by the GitHub Action; its presence doesn't seem to have any effect.
  • Is this related to iam:PassRole?

What's missing?

  • MichaelDombrowski-AWS EXPERT
    8 months ago

    Hello, I'd recommend that you look at CloudTrail to see what exact API call is being denied. This is a good permission debugging technique in general.

Topics
Internet of Things (IoT)Management & GovernanceSecurity, Identity, & Compliance
Tags
AWS IoT GreengrassAWS IoT CoreAWS CloudFormationIAM Policies
Language
English
jc-rr
asked 8 months ago200 views
1 Answer
0
Accepted Answer

Hi,

I have performed testings with the same IAM policy and CloudFormation stack and can replicate the permission error. While looking at CloudTrail, I have found the following log for my IAM role iot-cloudformation:

"errorMessage": "User: arn:aws:sts::123456789012:assumed-role/iot-cloudformation/AWSCloudFormation is not authorized to perform: iot:ListTagsForResource on resource: arn:aws:iot:us-east-1:123456789012:rolealias/MyGreengrassCoreTokenExchangeRoleAlias because no identity-based policy allows the iot:ListTagsForResource action",

Therefore, when CloudFormation manages the IOT role alias resource, it sends an iot:ListTagsForResource event as well. With the following IAM policy, the CloudFormation creation has passed:

        {
            "Effect": "Allow",
            "Action": [
                "iot:CreateRoleAlias",
                "iot:DeleteRoleAlias",
                "iot:DescribeRoleAlias",
                "iot:UpdateRoleAlias",
                "iot:ListTagsForResource"
            ],
            "Resource": "*"
        }
profile pictureAWS
Feng_C
answered 8 months ago
  • jc-rr
    8 months ago

    Aha, the debugging piece I was missing was that I needed to filter the CloudTrail event history by the user name. Then I could see that failed ListTagsForResource call. Now that I've added iot:ListTagsForResource to the policy, my stack (including the role alias) is successfully creating. Thanks!

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content