This is part of the code of my template.yml in Cloud9:
Type: 'AWS::Serverless::Function'
Properties:
Handler: index.handler
Runtime: nodejs6.10
CodeUri: .
Description: Updates records in the AppConfig table.
MemorySize: 128
Timeout: 3
Role: 'arn:aws:iam::579913947261:role/FnRole'
Events:
Api1:
Type: Api
Properties:
When I commit the changes in Cloud9, deployment fails at CodePipeline Deploy stage while trying ExecuteChangeSet. I get this error:
CloudFormation is not authorized to perform: iam:PassRole on resource
Can anyone help?
User: arn:aws:sts::156478935478:assumed-role/CodeStarWorker-AppConfig-CloudFormation/AWSCloudFormation is not authorized to perform: iam:PassRole on resource: arn:aws:iam::156478935478:role/service-role/FnRole(Service: AWSLambda; Status Code: 403; Error Code: AccessDeniedException; Request ID: 129f601b-a425-11e8-9659-410b0cc8f4f9)
From this log you can tell what policy (iam:PassRole) needs to be assigned to the CloudFormation role for your stack (CodeStarWorker-AppConfig-CloudFormation).
You should:
IAM > RolesCodeStarWorker-AppConfig-CloudFormationPermissionsCodeStarWorkerCloudFormationRolePolicy, expand it, go Edit policyarn:aws:iam::579913947261:role/FnRole), if you don't have that section just copy and paste this, but under Resources use yours ARNs.Policy:
{
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::156478935478:role/CodeStarWorker-AppConfig-Lambda",
"arn:aws:iam::579913947261:role/FnRole"
],
"Effect": "Allow"
}
If you want to assign that permission to all resources ("Resource": "*") find this following section and above under actions add the permission you want to assign:
"Resource": "*",
"Effect": "Allow"
You can do apply this for all others permissions you want to assign to CloudFormation for your resources.