How do I resolve the "Role <ROLE_ARN> is invalid or cannot be assumed” error when I update or delete an AWS CloudFormation stack?

Last updated: 2020-10-15

I want to resolve the "Role <ROLE_ARN> is invalid or cannot be assumed” error when I create, update, or delete an AWS CloudFormation stack.

Short description

You receive this error when there's an issue with the AWS Identity and Access Management (IAM) service role that's used by AWS CloudFormation to make calls to resources in a stack on your behalf.

You can receive this error when you try to:

  • Create a stack using the AWS Command Line Interface (AWS CLI) or an API call
  • Update a stack when AWS CloudFormation creates a change set
  • Delete a stack
  • Update or delete an IAM role (If you modify the trust policy of an updated IAM role, then AWS CloudFormation can't assume the role.)

If the trust policy has been modified, then you can resolve this error by allowing AWS CloudFormation to assume the IAM role. If the trust policy has been deleted, then you can resolve this error by creating the role with the same name as the role mentioned in the error message. Finally, you must override the currently used role using the --role-arn parameter from the AWS CLI.

Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI.

Resolution

Confirm that the IAM role exists, and then create a new IAM role if the role doesn't exist

1.    Open the IAM console.

2.    In the navigation pane, choose Roles.

3.    In the Role name column, choose the IAM role that's mentioned in the error message that you received.

4.    If the role exists, complete the steps in the Confirm that the role trust policy allows AWS CloudFormation to assume the IAM role section.

5.    If the role doesn't exist, create a new IAM role with the same name as the role mentioned in the error.

6.    Confirm that the new IAM role has all the required permissions for AWS CloudFormation to perform create, update, or delete operations on the resources in your stack.

7.    After the role has been created, create, update, or delete your stack again.

Note: If the new role doesn't have the required IAM permissions, the stack operations could fail. For example, the delete operation fails if you try to delete an Amazon Elastic Compute Cloud (Amazon EC2) instance resource where the IAM role doesn't have the permission for the ec2:TerminateInstances action.

Confirm that the role trust policy allows AWS CloudFormation to assume the IAM role

1.    Open the IAM console.

2.    In the navigation pane, choose Roles.

3.    In the Role name column, choose the IAM role that's mentioned in the error message that you received.

4.    Choose the Trust relationships tab.

5.    Confirm that the trust relationship shows cloudformation.amazonaws.com as a trusted entity.

If cloudformation.amazonaws.com isn't listed as a trusted entity, then choose Edit trust relationship.

6.    In the Policy Document editor, enter the following AWS CloudFormation service role trust policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

7.    Choose Update Trust Policy.

Now, the updated trusty policy allows AWS CloudFormation to assume the IAM role.

8.    After the role has been created, create, update, or delete your stack again.

Override the current IAM role used by AWS CloudFormation

You can use the AWS CLI to override the current IAM role used by AWS CloudFormation.

1.    To update the stack, run the following command:

aws cloudformation update-stack --stack-name my-stack --template-body file://my-stack-template.json --role-arn arn:aws:iam::123456789123:role/cloudformation-role

Note: Replace my-stack, my-stack-template.json, and 123456789123 with your values.

2.    To delete the stack, run the following command:

aws cloudformation delete-stack --stack-name my-stack --role-arn arn:aws:iam::123456789123:role/cloudformation-role

Note: Replace my-stack and 123456789123 with your values.


Did this article help?


Do you need billing or technical support?