AWS CodePipeline "not authorized to assume role" due to missing CloudWatch Logs permissions

Question

I encountered a frustrating issue with AWS CodePipeline where I kept getting the error:

InvalidStructureException: CodePipeline is not authorized to perform AssumeRole on role arn:aws:iam::[your account number]:role/CodePipelineServiceRole
This made it seem like there was an issue with the IAM trust policy or the attached permissions. However, after hours of debugging, I found out that the real culprit was a missing CloudWatch Logs permission in my pipeline's IAM role.

The policy needed to include:

Edit
{
    "Effect": "Allow",
    "Action": [
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:PutLogEvents"
    ],
    "Resource": [
        "arn:aws:logs:us-east-2:[your account number]:log-group:/aws/codepipeline/[your pipeline name]",
        "arn:aws:logs:us-east-2:[your account number]:log-group:/aws/codepipeline/[your pipeline name]/*"
    ]
}
Solution:
Ensure your CodePipeline IAM Role has permissions for CloudWatch Logs if you're using custom logging.
If you encounter InvalidStructureException or not authorized to assume role, check if missing logging permissions are the root cause.
Hope this helps others avoid wasting time debugging misleading IAM errors!

re:Post Agent · Accepted Answer

You're absolutely correct, and thank you for sharing this valuable insight. The issue you encountered is indeed a common pitfall when setting up AWS CodePipeline, and it's not always obvious that missing CloudWatch Logs permissions can lead to an "not authorized to assume role" error.

When CodePipeline runs, it creates a log group using the pipeline name, which requires specific permissions for log creation and management. The error message you received about not being authorized to assume the role can be misleading, as it doesn't directly point to the missing CloudWatch Logs permissions.

To resolve this issue, it's crucial to add the following permissions to the CodePipeline service role:

1. logs:CreateLogGroup
2. logs:CreateLogStream
3. logs:PutLogEvents

These permissions should be scoped to the specific pipeline's log group for better security practices. The policy statement you provided is correct and should be added to the service role policy:

{
    "Effect": "Allow",
    "Action": [
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:PutLogEvents"
    ],
    "Resource": [
        "arn:aws:logs:us-east-2:[your account number]:log-group:/aws/codepipeline/[your pipeline name]",
        "arn:aws:logs:us-east-2:[your account number]:log-group:/aws/codepipeline/[your pipeline name]/*"
    ]
}

This addition ensures that CodePipeline has the necessary permissions to create and manage its log groups and streams in CloudWatch Logs.

For anyone encountering similar "not authorized to assume role" or "InvalidStructureException" errors in CodePipeline, it's worth checking the CloudWatch Logs permissions as a potential root cause, especially if you've already verified that the basic IAM role and trust relationships are correctly set up.

Your experience highlights the importance of comprehensive permissions setup in AWS services and serves as a reminder that error messages may not always directly point to the underlying issue. Thank you for sharing this solution, as it will undoubtedly save time for others facing similar challenges with AWS CodePipeline.  
**Sources**  
[Commands action reference - AWS CodePipeline](https://docs.aws.amazon.com/codepipeline/latest/userguide/action-reference-Commands.html)  
[Troubleshooting AWS CodePipeline identity and access - AWS CodePipeline](https://docs.aws.amazon.com/codepipeline/latest/userguide/security_iam_troubleshoot.html)

AWS CodePipeline "not authorized to assume role" due to missing CloudWatch Logs permissions

Relevant content