I'm currently working on AWS Code Family Introduction workshop to familiarize myself with AWS' products. I'm at the part where I create a SAM project and using SAM CLI to create a serverless CodePipeline CI pipeline. All is well until I push my commit and trigger CodePipeline to execute the deployment of the project using CloudFormation. When CloudFormation gets to the point of provisioning the IAM role for Lambda functions for the sample API Gateway, I see the following error message:
Resource handler returned message: "null"
This then cascades into other failures such as "Resource creation cancelled" for "getByIdFunctionRole" and a few other roles followed by "The following resource(s) failed to create: [getAllItemsFunctionRole, putItemFunctionRole, getByIdFunctionRole]. Rollback requested by user."
It is evident that the initial error message is not very helpful. One thing I've considered is if the CodePipeline service role was missing IAM permission to create a role. However, when I checked, the IAM policy that was attached, the effect statement was set to allow on action and resource "*" . This leads me to believe it should have all the required access. I tried checking CloudTrail for hints on the failure, but I'm having a hard time trying to locate the user used for deployment. When I did find events that are related to CloudFormation such as CreateStack, I don't see any error messages in the logs.
I've been grinding away on this problem for 30 minutes and I'm out of ideas. What can I do to narrow down the problem further to identify the root cause? Thanks in advance.
Agree with Riku: tracing via CloudTrail will allow you to see which API steps were taken by CloudTrail until the stack fails.