Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How do I troubleshoot when User: arn is no authorized to perform Create * or Delete * or Update * on resource(s) because no identity- policy allows the actions

3 minute read
Content level: Intermediate
2

This article addresses a common issue in AWS Identity and Access Management (IAM) where users encounter authorization errors when attempting to perform Create, Delete, or Update actions on AWS resources while using CloudFormation.

Description:

When executing CloudFormation stack operations (Create/Update/Delete), the stack deployment fails with the error "User: arn is not authorized to perform: resource:* on resource: arn" indicating insufficient permissions in the identity-based policy for the specified actions.

The error indicates that the specified AWS Identity and Access Management (IAM) entity, represented by the Amazon Resource Name (ARN), does not have the necessary permissions to perform the action on the specified resource failing create, update or delete. This means that the identity policy attached to the IAM entity does not grant the required authorization to perform the necessary action.

Resolution:

To resolve this issue follow the steps below to update the policy:

  1. Open the AWS Management Console and navigate to the Identity and Access Management (IAM) service.
  2. In the IAM console, select either "Users", "Roles" or "User Groups" as appropriate from the left-hand navigation menu.
  3. Find the role resource associated with the error message (the role that lacks the necessary permissions to delete the resource).
  4. In the example below, we can see that the assumed role CFN is unable to create the bucket because of the role does not have permission for s3:CreateBucket action

CloudFormation Error

  1. Navigate to IAM Console and click on the role name to open the role details page.
  2. In the "Permissions" tab, click on the policy that should grant the required permissions.
  3. In the policy document, locate the "Statement" section and add a new statement granting the missing permission on the required resource(s).
  4. Save the changes to the policy.
  5. After updating the policy, the role should now have the necessary permissions to perform the required action on the resource(s).
  6. You can then return to the CloudFormation console and attempt the Create/Update/Delete operation again, which should succeed.

For more information on, see Prepare for least-privilege permissions.

Note:

  • In some cases, the policy may be managed by AWS, so it is not editable. In this case, add a new policy with the necessary permission.
  • If you do not have permissions to update policies, escalate to someone in the team who does have permissions to update IAM Role or Policy.
  • If your account is part of an AWS Organization, an SCP might be restricting actions. Check in the AWS Organizations console.

This article was co-authored by Priyanka Yadav and Kirtan Gajjar. If you have any questions, please feel free to comment on this article.

Topics
Management & GovernanceSecurity, Identity, & Compliance
Tags
AWS CloudFormation Detect Root CauseAWS CloudFormationIAM Policies
Language
English
AWS
EXPERT
published 8 months ago402 views
No comments

Relevant content