Creating Code pipeline stack from Cloud Formation

0

I am getting this on CFN console: Encountered a permissions error performing a tagging operation. See https://repost.aws/knowledge-center/cloudformation-tagging-permission-error for how to resolve. Failure Details: "null for activityId="7" of activityType={Name: PipelineActivities.createPipeline,Version: $VERSION$}"

CT: "errorMessage": "User: arn:aws:iam::xxxxxxxxx:user/xxxxxxxx is not authorized to perform: iam:PassRole on resource: CodePipelinePolicy",

Code: AWSTemplateFormatVersion: 2010-09-09 Description: CodePipeline sample Parameters: CodeCommitRepoName: Type: String CodePipelineName: Type: String

Resources: CodePipeLineRole: Type: AWS::IAM::Role Properties: RoleName: CodePipelinePolicy AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Principal: Service: - "codepipeline.amazonaws.com" Action: - "sts:AssumeRole" Path: "/" ManagedPolicyArns: - arn:aws:iam::aws:policy/AWSCodeCommitReadOnly Policies: - PolicyName: CodePipelineAccess PolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Action: #- codecommit:UploadArchive - logs:Describe* - logs:Create* - logs:Put* - codepipeline:* Resource: "*" # - PolicyName: PassRole # PolicyDocument: # Version: "2012-10-17"clear

    #     Statement:
    #       - Effect: "Allow"
    #         Action:
    #           - iam:PassRole
    #         Resource: "arn:aws:iam::216564071998:role/CodePipelinePolicy"

CodePipeline: Type: 'AWS::CodePipeline::Pipeline' Properties: ExecutionMode: SUPERSEDED Name: !Ref CodePipelineName PipelineType: V2 RoleArn: !GetAtt [CodePipeLineRole, Arn] Tags: - Key: DeploymentType Value: "CloudFormation" Stages: - Name: Source Actions: - Name: CheckoutSourceTemplate ActionTypeId: Category: Source Owner: AWS Version: 1 Provider: CodeCommit Configuration: PollForSourceChanges: False RepositoryName: !Ref CodeCommitRepoName BranchName: main OutputArtifacts: - Name: TemplateSource RunOrder: 1 - Name: Deploy Actions: - Name: CreateStack ActionTypeId: Category: Deploy Owner: AWS Provider: CloudFormation Version: 1 InputArtifacts: - Name: TemplateSource Configuration: ActionMode: CREATE_UPDATE RoleArn: !Ref CodePipeLineRole StackName: pipeline Capabilities: CAPABILITY_IAM TemplateConfiguration: TemplateSource::test-configuration.json TemplatePath: TemplateSource::template.yml RunOrder: 1

3 Answers
0
Accepted Answer

Thanks I have managed to fix it by myself. I had to give the iam:pass role to CodePipeline so that it can pass CFN role to the CFN service. The cloud trail message was a bit confusing.

SSHOAIB
answered a month ago
0

Hello.

CT: "errorMessage": "User: arn:aws:iam::xxxxxxxxx:user/xxxxxxxx is not authorized to perform: iam:PassRole on resource: CodePipelinePolicy",

Judging from the content of the error message, it appears that the IAM user you are using does not have sufficient permissions to attach an IAM policy.
What IAM policy is set for the IAM user you are using?
Can you confirm if setting "AdministratorAccess" for the IAM user resolves the issue?
https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AdministratorAccess.html

Also, when deploying CloudFormation with CodePipeline, permissions to operate CloudFormation are required in CodePipeline's IAM policy.
https://docs.aws.amazon.com/codepipeline/latest/userguide/security-iam.html#how-to-custom-role

  CodePipeLineRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: CodePipelinePolicy
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Principal:
              Service:
                - "codepipeline.amazonaws.com"
            Action:
              - "sts:AssumeRole"
      Path: "/"
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/AWSCodeCommitReadOnly
      Policies:
        - PolicyName: CodePipelineAccess
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: "Allow"
                Action:
                  - logs:Describe*
                  - logs:Create*
                  - logs:Put*
                  - codepipeline:*
                Resource: "*"
              - Effect: "Allow"
                Action:
                  - cloudformation:CreateStack
                  - cloudformation:DeleteStack
                  - cloudformation:DescribeStacks
                  - cloudformation:UpdateStack
                  - cloudformation:CreateChangeSet
                  - cloudformation:DeleteChangeSet
                  - cloudformation:DescribeChangeSet
                  - cloudformation:ExecuteChangeSet
                  - cloudformation:SetStackPolicy
                  - cloudformation:ValidateTemplate
                Resource: "*"
profile picture
EXPERT
answered a month ago
profile picture
EXPERT
reviewed a month ago
0

AWSTemplateFormatVersion: 2010-09-09 Description: CodePipeline sample Parameters: CodeCommitRepoName: Type: String CodePipelineName: Type: String

Resources: CodePipeLineRole: Type: AWS::IAM::Role Properties: RoleName: CodePipelinePolicy AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Principal: Service: - "codepipeline.amazonaws.com" Action: - "sts:AssumeRole" Path: "/" ManagedPolicyArns: - arn:aws:iam::aws:policy/AWSCodeCommitReadOnly Policies: - PolicyName: CodePipelineAccess PolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Action: #- codecommit:UploadArchive - logs:Describe* - logs:Create* - logs:Put* - codepipeline:* Resource: "*" # - PolicyName: PassRole # PolicyDocument: # Version: "2012-10-17"clear

    #     Statement:
    #       - Effect: "Allow"
    #         Action:
    #           - iam:PassRole
    #         Resource: "arn:aws:iam::216564071998:role/CodePipelinePolicy"

CodePipeline: Type: 'AWS::CodePipeline::Pipeline' Properties: ExecutionMode: SUPERSEDED Name: !Ref CodePipelineName PipelineType: V2 RoleArn: !GetAtt [CodePipeLineRole, Arn] Tags: - Key: DeploymentType Value: "CloudFormation" Stages: - Name: Source Actions: - Name: CheckoutSourceTemplate ActionTypeId: Category: Source Owner: AWS Version: 1 Provider: CodeCommit Configuration: PollForSourceChanges: False RepositoryName: !Ref CodeCommitRepoName BranchName: main OutputArtifacts: - Name: TemplateSource RunOrder: 1 - Name: Deploy Actions: - Name: CreateStack ActionTypeId: Category: Deploy Owner: AWS Provider: CloudFormation Version: 1 InputArtifacts: - Name: TemplateSource Configuration: ActionMode: CREATE_UPDATE RoleArn: !Ref CodePipeLineRole StackName: pipeline Capabilities: CAPABILITY_IAM TemplateConfiguration: TemplateSource::test-configuration.json TemplatePath: TemplateSource::template.yml RunOrder: 1

SSHOAIB
answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions