Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Stack deploy error: Policy arn:aws:iam::aws:policy/service-role/AWSConfigRole does not exist or is not attachable #77

Open
phitoduck opened this issue Oct 13, 2022 · 0 comments
Open

Stack deploy error: Policy arn:aws:iam::aws:policy/service-role/AWSConfigRole does not exist or is not attachable #77

phitoduck opened this issue Oct 13, 2022 · 0 comments

Comments

@phitoduck
Copy link

Hi there, I went to deploy this stack today and got the following error:

(thrown when creating the ConfigRole resource)

Policy arn:aws:iam::aws:policy/service-role/AWSConfigRole does not exist or is not attachable. (Service: AmazonIdentityManagement; Status Code: 404; Error Code: NoSuchEntity; Request ID: 7a7836dd-0c87-4dca-85cb-6e94da045748; Proxy: null)

This probably caused the second error:

(thrown when creating the DeliveryChannel resource)

Configuration recorder is not available to put delivery channel. (Service: AmazonConfig; Status Code: 400; Error Code: NoAvailableConfigurationRecorderException; Request ID: 0c9fa708-2bc4-43bf-a0e5-9f64290c1004; Proxy: null)

I confirmed that the ConfigRole resource is indeed trying to access

Resources:
  # ...
  ConfigRole:
    Type: AWS::IAM::Role
    Condition: ShouldCreateConfig
    Properties: 
      AssumeRolePolicyDocument: 
        Version: 2012-10-17
        Statement: 
          - Effect: Allow
            Principal:
              Service:
              - config.amazonaws.com 
            Action: 
              - 'sts:AssumeRole'
      Path: /service-role/
      ManagedPolicyArns: 
        - arn:aws:iam::aws:policy/service-role/AWSConfigRole
      Policies:
        - PolicyName: ConfigService-S3Access
          PolicyDocument: 
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action: 
                  - 's3:PutObject'
                  - 's3:PutObjectAcl'
                Resource: !Join ['', ['arn:aws:s3:::', !Ref ConfigS3Bucket, '/AWSLogs/', !Ref AWS::AccountId, '/*']]
      Description: Role to allow Config Service communicate with Delivery Channel
      RoleName: !Join ['-', ['ConfigRole', !Select [0, !Split ['-', !Select [2, !Split ['/', !Ref 'AWS::StackId' ]]]]]]

I noticed that the managed policy referenced in the policy does not exist in our AWS account. Could it be because our account is part of an AWS Organization?

image

As a workaround, I'll copy the YAML for this stack directly into the CDK app we use to deploy, and simply change the policy name to the AWS Organizations version.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@phitoduck