概要
IAM Roleにポリシーを付与した状態でcloudformationのスタックに適用すると、エラー「does not exist or is not attachable」や「...Role is not valid.」が発生しました。原因がわかったので紹介します。
原因と解決方法
まずは以下でインポートした場合。
Resources:
LambdaRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- sns.amazonaws.com
- lambda.amazonaws.com
Action:
- sts:AssumeRole
Path: "/"
RoleName: LambdaRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonSNSFullAccess
- arn:aws:iam::aws:policy/AWSLambdaExecute
- arn:aws:iam::aws:policy/AWSLambdaVPCAccessExecutionRole
上記だと以下のエラーになります。
Resource handler returned message: "Policy arn:aws:iam::aws:policy/AWSLambdaVPCAccessExecutionRole does not exist or is not attachable.
問題はAWSLambdaVPCAccessExecutionRoleらしい。
ポリシーではなくservice-roleにすると良いのか?
Resources:
LambdaRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- sns.amazonaws.com
- lambda.amazonaws.com
Action:
- sts:AssumeRole
Path: "/"
RoleName: LambdaRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonSNSFullAccess
- arn:aws:iam::aws:policy/AWSLambdaExecute
- arn:aws:iam::aws:service-role/AWSLambdaVPCAccessExecutionRole
すると今度は以下のエラー。
Resource handler returned message: "ARN arn:aws:iam::aws:service-role/AWSLambdaVPCAccessExecutionRole is not valid.
あれ、service-roleの前にpolicyつけるのか。
Resources:
LambdaRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- sns.amazonaws.com
- lambda.amazonaws.com
Action:
- sts:AssumeRole
Path: "/"
RoleName: LambdaRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonSNSFullAccess
- arn:aws:iam::aws:policy/AWSLambdaExecute
- arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole
ということで、上記であれば正常に適用することができました。