By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

API Gateway does not have permission to assume the provided role

0

Hi All,

I am trying to add a custom domain name to my API gateway and attach an ACM certificate. Not able to save as it throws the following error - "API Gateway does not have permission to assume the provided role arn:aws:iam::XXXXXXXXXXXX:role/aws-service-role/ops.apigateway.amazonaws.com/AWSServiceRoleForAPIGateway". On reading the documentation, I understand, the role AWSServiceRoleForAPIGateway will be automatically created by API gateway when ACM certificate is attached. But I am not able to see that role in IAM. Please help me resolve this issue.
best regards,
Amal

Topics
ServerlessFront-End Web & MobileNetworking & Content Delivery
Tags
Amazon API Gateway
Language
English
AmalAntony
asked 5 years ago2131 views
5 Answers
1

There was an issue in API Gateway that caused this error to surface. We've patched the issue, and we apologize for the inconvenience.

AWS-User-8608052
answered 5 years ago
1

Hi Randy,

Thanks for trying. I finally got that sorted. Posting it so that it may help others.
All I had to do was to create the service role using AWS-CLI.

 Amals-MacBook-Pro:.aws work$ aws iam create-service-linked-role --aws-service-name ops.apigateway.amazonaws.com --description "My service-linked role to attach ssl certificates in api gateway"

After the service role was created, I was able to attach the certificate from AWS Console without any errors.

UPDATE : Just saw the reply from AWS. Seems they have patched the issue. So nothing might be needed to make this work.
best regards,
Amal

Edited by: AmalAntony on Sep 4, 2019 6:06 PM

AmalAntony
answered 5 years ago
0

Hi,
Not sure if this will help, but does the user that you are currently logged in as, have the following CreateServiceLinkedRole policy?

        {
            "Sid": "ServiceLinkedRole",
            "Effect": "Allow",
            "Action": "iam:CreateServiceLinkedRole",
            "Resource": "arn:aws:iam::<account id number>:role/aws-service-role/ops.apigateway.amazonaws.com/AWSServiceRoleForAPIGateway
        }

-randy

RandyTakeshita
answered 5 years ago
0

Hi Randy,

Thanks for the reply. The account I am logging in with has Administrator Access. The issue is not fixed yet.

Thanks and regards,
Amal

Edited by: AmalAntony on Sep 3, 2019 10:45 PM

AmalAntony
answered 5 years ago
0

Hi,
I am trying to reproduce your issue, I set up a custom domain for a Regional REST API in my environment and I was NOT able to reproduce your problem. The AWSServiceRoleForAPIGateway was properly created and the ACM Certificate was attached without errors.
My ACM Certificate was generated in us-east-1 and I created the Custom Domain Name in us-east-1 (not sure if that makes any difference).

My final screen looks like the following:

example.com
Uploaded on 9/3/2019

Regional
Status
AVAILABLE
Security Policy
TLS 1.2
Target Domain Name
d-55ssdnlp4zj.execute-api.us-east-1.amazonaws.com
Hosted Zone ID
Z1UJRXOUMOOFQ8
ACM Certificate
example.com (7589272b)

My logged in user also has the AWS provided AdministratorAccess Policy.

If you can think of anything different from your setup that you would like me to try on my side to see if I can reproduce, let me know.

-randy

RandyTakeshita
answered 5 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content