How can I delete an instance that can't be removed due to a missing IAM service role in OpsWorks Stacks?

Last updated: 2019-04-22

I can't delete instances in AWS OpsWorks Stacks due to a missing AWS Identity and Access Management (IAM) service role. Or, when I stop my instances, I get the following error: "OpsWorks failed to obtain the necessary credentials to stop the instance on your behalf. Please try again after waiting a minute. If this error persists, please check the permissions of the service role."

How can I delete my OpsWorks Stack instances?

Short Description

You can't delete an instance in OpsWorks Stacks if the IAM service role used to create the stack is deleted. The OpsWorks DeleteInstance API call can't delete instances if the service role is missing. For DeleteInstance to work, create a new service role manually. Then, give the new role the exact same name as your missing service role.

Resolution

Identify your missing IAM service role

  1. Open the OpsWorks Stacks console.
  2. Choose your stack, and then choose Stack Settings.
  3. In the Advanced options section, choose your missing IAM service role.

Create a new service role with the exact same name as your missing service role

  1. Open the IAM console.
  2. Choose Roles, and then choose Create Role.
  3. For AWS Service, choose OpsWorks, and then choose Next: Permissions.
  4. Skip the pages for attaching permissions policies and IAM tags, and then choose Next: Review.
    Note: The AWSOpsWorksRole policy is added by default in this stage of the role creation process. You don't need to modify this policy.
  5. For Role name, enter the exact same name of your missing role.
  6. Choose Create role.

Attach the AmazonEC2FullAccess policy

  1. Open the IAM console, and then choose Roles.
  2. From the Role name column, choose the new service role that you created earlier.
  3. Choose Attach policies.
  4. In the search box, enter AmazonEC2FullAccess.
  5. Choose AmazonEC2FullAccess, and then choose Attach policy.

Delete the OpsWorks instance

  1. Open the OpsWorks Stacks console, and then choose your stack.
  2. In the navigation pane, choose Instances.
  3. In the Actions column for the instance that you want to stop, choose stop.
  4. After the status of the instance changes to stopped, in the Actions column for that instance, choose delete.

Important: If you delete the OpsWorks instance immediately after creating the new service role and attaching a policy, you might get a permissions error. To resolve this error, wait about five minutes, and then try deleting the OpsWorks instance again.

Delete the service role

  1. Open the IAM console, and then choose Roles.
  2. In the Role name column, choose the new role that you created earlier.
  3. Choose Delete role.

Did this article help you?

Anything we could improve?


Need more help?