How do I resolve the "Role [role_arn] is invalid or cannot be assumed” error when I update or delete an AWS CloudFormation stack?

4 minute read

I want to resolve the "Role [role_arn] is invalid or cannot be assumed” error when I create, update, or delete an AWS CloudFormation stack.

Short description

You receive this error when there's an issue with the AWS Identity and Access Management (IAM) service role that's used by AWS CloudFormation to make calls to resources in a stack on your behalf.

You can receive this error when you try to:

Create a stack using the AWS Command Line Interface (AWS CLI) or an API call.
Update a stack when AWS CloudFormation creates a change set.
Delete a stack.
Update or delete an IAM role. If you modify the trust policy of an updated IAM role, then AWS CloudFormation can't assume the role.

To resolve this error, determine if IAM service role that's used by AWS CloudFormation exists. Then:

If the IAM role doesn't exist, create a new IAM role with the same name.
If the IAM role exists, confirm that the role trust policy allows AWS CloudFormation to assume the IAM role.

Or, you can override the current IAM role used to override the service role used for the current stack operation using the --role-arn parameter.

Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI.

Resolution

Confirm that the IAM role exists

1. Open the IAM console.

2. In the navigation pane, choose Roles.

3. In the Role name column, choose the IAM role that's mentioned in the error message that you received.

4. If the role exists, complete the steps in the Confirm that the role trust policy allows AWS CloudFormation to assume the IAM role section
-or-
Complete the steps in the Override the current IAM role used by AWS CloudFormation.

If the role doesn't exist, complete the steps in the Create a new IAM role and confirm it has the required permissions.

Create a new IAM role and confirm it has the required permissions

1. Create a new IAM role with the same name as the role mentioned in the error

2. Confirm that the new IAM role has the required permissions for AWS CloudFormation to perform create, update, or delete operations on resources in your stack.

3. After the role is created, you can create, update, or delete your stack again.

Note: If the new role doesn't have the required IAM permissions, then the stack operations could fail. For example, the delete operation fails if you try to delete an Amazon Elastic Compute Cloud (Amazon EC2) instance resource where the IAM role doesn't have the permission for the ec2:TerminateInstances action.

Confirm that the role trust policy allows AWS CloudFormation to assume the IAM role

1. Open the IAM console.

2. In the navigation pane, choose Roles.

3. In the Role name column, choose the IAM role that's mentioned in the error message that you received.

4. Choose the Trust relationships tab.

5. Confirm that the trust relationship shows cloudformation.amazonaws.com as a trusted entity.

If cloudformation.amazonaws.com isn't listed as a trusted entity, then choose Edit trust relationship.

6. In the Policy Document editor, enter the following AWS CloudFormation service role trust policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "cloudformation.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

7. Choose Update Trust Policy.

Now, the updated trusty policy allows AWS CloudFormation to assume the IAM role.

8. After the role is created, you can create, update, or delete your stack again.

Override the current IAM role used by AWS CloudFormation

1. To update the stack, run the following command:

aws cloudformation update-stack --stack-name my-stack --template-body file://my-stack-template.json --role-arn arn:aws:iam::123456789123:role/cloudformation-role

Note: Replace my-stack, my-stack-template.json, and 123456789123 with your values.

2. To delete the stack, run the following command:

aws cloudformation delete-stack --stack-name my-stack --role-arn arn:aws:iam::123456789123:role/cloudformation-role

Note: Replace my-stack and 123456789123 with your values.

Related information

AWS CloudFormation service role

Creating a role to delegate permissions to an AWS service

Topics

Management & Governance

Relevant content

"Invalid Client Token ID" error when I try to assume a new role ARN
rePost-User-2276251
asked a month ago
Error when deploy CloudFormation stack
rePost-User-2684239
asked 10 months ago
Delete cloudformation stack failed due to ECS cluster cannot be deleted
mingtong
asked a year ago
I manually deleted a specific resource, and I can not delete the cloudformation stack
Accepted Answer
Haonan
asked a month ago
I get a generic "An error occurred while attempting to create the stack". How do I troubleshoot this?
Accepted Answer
bbaronas
asked 7 months ago
How do I resolve the "Internal Failure" error when I try to create or update a stack in CloudFormation?
AWS OFFICIALUpdated 3 years ago
Why did I receive an "AccessDenied" or "Invalid information" error trying to assume a cross-account IAM role?
AWS OFFICIALUpdated 2 years ago
How do I resolve the AWS CloudFormation error "Cannot update a stack when a custom-named resource requires replacing"?
AWS OFFICIALUpdated a year ago
How do I resolve the "Last applied policy cannot be deleted" error in CloudFormation?
AWS OFFICIALUpdated 6 months ago
Troubleshooting "The Access Key ID or Security Token is Invalid" Error after Upgrading DynamoDB Local to Version 2.0.0 / 1.23.0 or Greater
EXPERT
Leeroy Hannigan
published 10 months ago