1 Answer
- Newest
- Most votes
- Most comments
0
Recreate the service role AWSControlTowerStackSetRole using the AWS CLI to ensure the service role gets created with the correct arn (i.e. arn:aws:iam::${AWS::AccountId}:role/service-role/AWSControlTowerStackSetRole) by following the steps below;
- Use AWS CLI (in local terminal or use CloudShell with administrative access) to run the command below in your Management Account:
> nano trustpolicy.json
Input the following Trust Policy;
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "cloudformation.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
- Create the service role AWSControlTowerStackSetRole with the Trust Policy created in the previous step using the command below;
> aws iam create-role --path /service-role/ --role-name AWSControlTowerStackSetRole --assume-role-policy-document trustpolicy.json
Command Output should be as follows;
{
"Role": {
"Path": "/service-role/",
"RoleName": "test",
"RoleId": "AROAWSSWKAUYWLKUNKKH6",
"Arn": "arn:aws:iam:::${AWS::AccountId}:role/service-role/AWSControlTowerStackSetRole",
"CreateDate": "0000-00-00T00:00:00+00:00",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "cloudformation.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
}
}
- Using the IAM console add the following managed policy to the role: AWSControlTowerStackSetRolePolicy
Once the service role AWSControlTowerStackSetRole is recreated with the correct trust policy and attached managed policy as per the steps above, retry the Landing Zone setup.
answered 3 months ago
Relevant content
- asked 9 months ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated a year ago