Resolving Permissions Issues with IAM: Knowledge of the iam:CreateRole Error
Have you ever been trying to do anything on AWS and been baffled by an error message that leaves you baffled? Often, the dreaded "not authorised to perform" error is the culprit. Usually, this occurs when a position or user lacks the authorisation needed to carry out a certain task. Have you ever witnessed anything similar to:
You're not alone, so don't worry! We'll explore the meaning of this error, its causes, and—above all—how to resolve it in this piece.
What's Happening Here?#
The problem message is rather simple: The role or user you are working with does not possess the necessary authorisation to establish a new IAM role. The issue indicates that there is no policy associated with the user or role that permits the action iam:CreateRole, which is strictly restricted.
One of AWS's most effective tools for managing access to AWS resources is Identity and Access Management (IAM). However, great power also comes with great responsibility, and if you're not cautious, controlling permissions can get a little complicated. There is obviously a missing component in your AWS setup, as shown by the error message you are viewing.
When Do You Run Into This Issue?#
You'll typically run into the "not authorized to perform iam:CreateRole" issue in the following scenarios:
Creating a New IAM Role for a Service or User#
Creating a new role could be necessary when configuring an AWS service (such as AWS CodeBuild, AWS Lambda, or Amazon EC2) that needs a particular IAM role for rights. This error occurs when a person or service tries to create that role without having the iam:CreateRole permissions.
Example: Trying to set up a CodeBuild project that requires a service role, but the user doesn't have permission to create that role.
Setting Up Automation or CI/CD Pipelines#
IAM roles may need to be created dynamically if you're automating infrastructure provisioning with a CI/CD pipeline (like Terraform or AWS CodePipeline). This error may occur if the pipeline's IAM role lacks the iam:CreateRole authorisation.
Example: Using a script that triggers AWS CloudFormation to create new resources but fails to create a role because the IAM role executing the script doesn't have iam:CreateRole.
Assigning or Modifying Service Roles#
If the user is unable to establish roles in IAM, a permission error may occur when you attempt to assign an existing role to the service or create a new role while working with services that must assume certain IAM roles, like AWS Lambda or Amazon ECS.
Example: Assigning a service role to a new EC2 instance but the user trying to do this doesn't have the iam:CreateRole permission.
Permissions Related to Infrastructure as Code (IaC) Tools#
IAM role generation is managed by a number of infrastructure tools, such as Terraform, CloudFormation, or AWS CDK. This error will appear if you use any of these tools to generate resources that need new IAM roles and the user isn't authorised to create roles.
Example: Running a terraform apply command that tries to create new IAM roles as part of an infrastructure change, but the user running the command doesn't have permission to create roles.
Cross-Account Role Creation#
You may attempt to create roles in one AWS account from another if you're dealing with multiple accounts (for instance, creating a cross-account role). The iam:CreateRole operation will be rejected if the second account's IAM user lacks the authority to create roles in the first account.
Example: Trying to create a role in Account A using a user from Account B, but the user doesn't have cross-account permissions to create roles in Account A.
The Fix: Adding the Right Permission#
To solve this, you'll need to make sure the user or role has the correct permissions attached to it. Here's how:
Locate the Role or User#
First, figure out which role or user is running into the issue. In this case, it's arn:aws:sts::123456789012:assumed-role/role-name/username. You can find this in your IAM dashboard on the AWS console.
Check the Policies#
Next, take a look at the IAM policies attached to that role or user. Policies define what actions are allowed or denied. In this case, you need to ensure that the policy allows the iam:CreateRole action.
Update the Policy#
If the permission is missing, you'll need to add a new policy or update an existing one. Here's an example of what the policy might look like to allow creating roles:
This policy gives permission to create roles for the specified resource (in this case, some-role). You can apply this to the user or role in question.
Things to Keep in Mind#
If you're still having trouble after adding the right policy, there are a few other things to check:
- Permission Boundaries: Strict permission boundaries can occasionally restrict the actions of AWS users or roles.
- Service Control Policies (SCPs): Check for SCPs that prevent
iam:CreateRolefrom being used. - Session Policies: Ensure no restrictive session policies are blocking the action.
Conclusion#
Managing IAM permissions in AWS can be tricky, but by following best practices, troubleshooting errors like iam:CreateRole becomes easier. Grant the least privilege necessary, use roles over users, and keep policies up to date.
Integrate Your Cluster & Deploy Applications Easily. Learn how to connect your cluster with Nife and deploy applications effortlessly.
Explore Nife.io. Discover how Nife simplifies cloud deployments.
Related Reads#
Want to dive deeper into AWS and cloud automation? Check out these blogs:
Automating Deployment and Scaling in Cloud Environments like AWS and GCP
Learn how to streamline your deployment processes and scale efficiently across cloud platforms like AWS and GCP.
Unleash the Power of AWS DevOps Tools to Supercharge Software Delivery
Explore the tools AWS offers to enhance your software delivery pipeline, improving efficiency and reliability.
Step-by-Step Guide to Multi-Cloud Automation with SkyPilot on AWS Step-by-Step Guide to Multi-Cloud Automation with SkyPilot on AWs