By using AWS re:Post, you agree to the Terms of Use

Codepipeline: "root is not authorized to perform: iam:PassRole"

0

Hello,

I'm trying to make codepipeline by cloudformation.

But this error had occurred.

User: arn:aws:iam::<user id>:root is not authorized to perform: iam:PassRole on resource: CloudFormationRole

Here is my code.

#CloudFormation
CloudFormationRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service: cloudformation.amazonaws.com 
            Action: sts:AssumeRole
          - Effect: Allow
            Principal:
              AWS: !Sub arn:aws:iam::${AWS::AccountId}:root 
            Action:
              - sts:AssumeRole
          - Effect: Allow
            Principal:
              Service: codepipeline.amazonaws.com
            Action: sts:AssumeRole

  CloudFormationServicePolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: 
        !Sub CloudFormationPolicy-${AWS::AccountId}
      
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Sid: CloudWatchLogsPolicy
            Effect: Allow
            Action: 
              - logs:CreateLogGroup
              - logs:CreateLogStream
              - logs:PutLogEvents
            Resource: "*"

          - Sid: S3ObjectPolicy
            Effect: Allow
            Action:
              - s3:PutObject
              - s3:GetObject
              - s3:GetObjectVersion
            Resource: "*"

          - Sid: ECRPowerUserPolicy
            Effect: Allow
            Action: 
              - ecr:GetAuthorizationToken
              - ecr:BatchCheckLayerAvailability
              - ecr:GetDownloadUrlForLayer
              - ecr:GetRepositoryPolicy
              - ecr:DescribeRepositories
              - ecr:ListImages
              - ecr:DescribeImages
              - ecr:BatchGetImage
              - ecr:InitiateLayerUpload
              - ecr:UploadLayerPart
              - ecr:CompleteLayerUpload
              - ecr:PutImage
            Resource: "*"
            
      Roles:
        - !Ref CloudFormationRole

#CodePipeline
CodePipeline:
    Type: AWS::CodePipeline::Pipeline
    Properties:
      ArtifactStore:
        EncryptionKey:
          Id: !GetAtt KMSPrivateKey.Arn
          Type: KMS
        Location: !Ref CodeCommitS3Bucket
        Type: S3
      RoleArn: !GetAtt CodePipelineServiceRole.Arn
      Stages:
      - Actions:
        - ActionTypeId:
            Category: Source
            Owner: AWS
            Provider: CodeCommit
            Version: 1
          Configuration:
            PollForSourceChanges: false
            RepositoryName: !Ref RepositoryName
            BranchName: master
          Name: source
          OutputArtifacts:
          - Name: CodecommitArtifact
          RoleArn: !GetAtt CodeCommitRole.Arn
        Name: source
      - Actions:
        - ActionTypeId:
            Category: Build
            Owner: AWS
            Provider: CodeBuild
            Version: 1
          Configuration:
            ProjectName: !Ref CodeBuild
          InputArtifacts:
          - Name: CodecommitArtifact
          OutputArtifacts:
          - Name: CodebuildArtifact
          Name: build
        Name: build
      - Actions:
        - ActionTypeId:
            Category: Deploy
            Owner: AWS
            Provider: CloudFormation
            Version: 1
          Configuration:
            ActionMode: CHANGE_SET_REPLACE
            RoleArn: !Ref CloudFormationRole
            StackName: !Ref RepositoryName
          InputArtifacts:
            - Name: CodebuildArtifact
          Name: GenerateChangeSet
        Name: ChangeSetReplace
      - Actions:
        - ActionTypeId:
            Category: Deploy
            Owner: AWS
            Provider: CloudFormation
            Version: 1
          Configuration:
            ActionMode: CHANGE_SET_EXECUTE
            RoleArn: !Ref CloudFormationRole
            StackName: !Ref RepositoryName
          Name: ExecuteChangeSet
        Name: Deploy
  
  CodePipelineServiceRole:
    Type: AWS::IAM::Role
    Properties:
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/AWSCodeCommitFullAccess
        - arn:aws:iam::aws:policy/AWSLambdaFullAccess
        - arn:aws:iam::aws:policy/AWSCodeDeployFullAccess
        - arn:aws:iam::aws:policy/AWSElasticBeanstalkFullAccess
        - arn:aws:iam::aws:policy/AWSCodePipelineFullAccess
        - arn:aws:iam::aws:policy/AWSCodeBuildAdminAccess 
        - arn:aws:iam::aws:policy/CloudWatchEventsFullAccess 
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
           
          - Effect: Allow
            Principal:
              Service: codepipeline.amazonaws.com
              
            Action: sts:AssumeRole
          - Effect: Allow
            Principal:
              AWS: !GetAtt CodeCommitRole.Arn
            Action: sts:AssumeRole
          - Effect: Allow
            Principal:
              AWS: !GetAtt CloudFormationRole.Arn
            Action: sts:AssumeRole

  CodePipelinePolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: 
        !Sub CodePipelineServicePolicy-${AWS::AccountId}
      Roles: 
        - !Ref CodePipelineServiceRole
      PolicyDocument:
        Version: "2012-10-17"
        Statement: 
          - Effect: Allow
            Action: sts:AssumeRole
            Resource: !Sub arn:aws:iam::${DevelopAccountID}:role/*
          - Sid: "S3Policy"
            Action: 
              - s3:PutObject
              - s3:GetObject
              - s3:GetObjectVersion
              - s3:GetBucketVersioning
            Resource: "*"
            Effect: Allow
            
          - Sid: CodeBuildPolicy
            Action:
              - codebuild:BatchGetBuilds
              - codebuild:StartBuild
            Resource: "*"
            Effect: Allow


          - Sid: ECSPolicy
            Action: 
              - ecs:DescribeServices
              - ecs:DescribeTaskDefinition
              - ecs:DescribeTasks
              - ecs:ListTasks
              - ecs:RegisterTaskDefinition
              - ecs:UpdateService
              - iam:PassRole
            Resource: "*"
            Effect: Allow
          - 
            Effect: Allow
            Action: kms:*
            Resource: "*"

How can I solve this problem?

I really appreciate any help.

Thanks in advance.

asked 3 years ago278 views
4 Answers
0
Accepted Answer

Hi,
I was able to reproduce the "not authorized to perform iam:PassRole" error.
To fix that error, I had to change:

           ActionMode: CHANGE_SET_REPLACE
            RoleArn: !Ref CloudFormationRole

To:

           ActionMode: CHANGE_SET_REPLACE
            RoleArn: !GetAtt CloudFormationRole.Arn

And also change:

            ActionMode: CHANGE_SET_EXECUTE
            RoleArn: !Ref CloudFormationRole

To:

            ActionMode: CHANGE_SET_EXECUTE
            RoleArn: !GetAtt CloudFormationRole.Arn

That should hopefully unblock you on the "not authorized" error message.

Hope this helps,
-randy

Edited by: RandyTakeshita on Sep 4, 2019 7:11 AM - removed last comment block..

answered 3 years ago
0

Hi,
Have you verified that the actual user that is launching the CloudFormation stack has the iam:PassRole permission?
-randy

Edited by: RandyTakeshita on Sep 3, 2019 12:04 AM

answered 3 years ago
0

Hello, Randy

Thank you for your reply

I'm operating on root user. So user has iam:PassRole permission.

answered 3 years ago
0

I reproduced error.
Thank you so much for your advice.

answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions