CloudFormation stack deployment failed on IAM role creation due to error - Resource handler returned message: "null"

0

I'm currently working on AWS Code Family Introduction workshop to familiarize myself with AWS' products. I'm at the part where I create a SAM project and using SAM CLI to create a serverless CodePipeline CI pipeline. All is well until I push my commit and trigger CodePipeline to execute the deployment of the project using CloudFormation. When CloudFormation gets to the point of provisioning the IAM role for Lambda functions for the sample API Gateway, I see the following error message:

Resource handler returned message: "null"

This then cascades into other failures such as "Resource creation cancelled" for "getByIdFunctionRole" and a few other roles followed by "The following resource(s) failed to create: [getAllItemsFunctionRole, putItemFunctionRole, getByIdFunctionRole]. Rollback requested by user."

It is evident that the initial error message is not very helpful. One thing I've considered is if the CodePipeline service role was missing IAM permission to create a role. However, when I checked, the IAM policy that was attached, the effect statement was set to allow on action and resource "*" . This leads me to believe it should have all the required access. I tried checking CloudTrail for hints on the failure, but I'm having a hard time trying to locate the user used for deployment. When I did find events that are related to CloudFormation such as CreateStack, I don't see any error messages in the logs.

I've been grinding away on this problem for 30 minutes and I'm out of ideas. What can I do to narrow down the problem further to identify the root cause? Thanks in advance.

asked 9 days ago163 views
1 Answer
1

Hello.

I believe that the creation of an IAM role is recorded in CloudTrail as an event called "CreateRole".
So, try searching for this event in CloudTrail's event history and see if an error has occurred.
By the way, please note that the "CreateRole" event cannot be found unless you look at CloudTrail in the us-east-1 region.
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events-console.html

profile picture
EXPERT
answered 9 days ago
profile picture
EXPERT
reviewed 8 days ago
profile pictureAWS
EXPERT
reviewed 8 days ago
  • Agree with Riku: tracing via CloudTrail will allow you to see which API steps were taken by CloudTrail until the stack fails.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions