Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pipeline: Unable to create a pipeline due to a lack of "iam:TagRole" permission. #279

Open
AlbertMingXu opened this issue Mar 28, 2024 · 1 comment
Open

Pipeline: Unable to create a pipeline due to a lack of "iam:TagRole" permission. #279

AlbertMingXu opened this issue Mar 28, 2024 · 1 comment
Labels
bug Something isn't working

Comments

@AlbertMingXu
Copy link

Describe the bug

When you creating a pipeline, the console may display a failed status for the pipeline. Clicking on the failure will provide the following error message:

Encountered a permissions error performing a tagging operation, please add required tag permissions. Retrying request without including tags. See https://repost.aws/knowledge-center/cloudformation-tagging-permission-error for how to resolve. Resource handler returned message: "User: arn:aws:sts::123456789012:assumed-role/clo-APICfnFlowCfnHelperServiceRole-111CLC116XCRH/clo-APICfnFlowCfnHelper-zH6Arx7iEUMY is not authorized to perform: iam:TagRole on resource: arn:aws:iam::123456789012:role/CL-SvcPipe-05044865-InitStackLogProcessorFnServiceR-9LvXu because no identity-based policy allows the iam:TagRole action (Service: Iam, Status Code: 403, Request ID: 45ea390f-2cc9-45e9-9539-5a5fea931e65)"

Expected Behavior

The status of the pipeline is shown as "Success".

Current Behavior

The status of the pipeline is shown as "Failed".

Reproduction Steps

This issue may occur in some accounts but is not necessarily encountered in all accounts.

Steps:

  1. Login the console
  2. Choose Log Analytics Pipelines -> AWS Service Logs / Application Logs
  3. Choose Create a Pipeline
  4. Enter the required parameters
  5. Choose Create

Possible Solution

No response

Additional Information/Context

No response

Solution Version

v2.1.2

AWS Region. e.g., us-east-1

us-east-1

Other information

No response
@AlbertMingXu AlbertMingXu added the bug Something isn't working label Mar 28, 2024
@AlbertMingXu
Copy link
Author

AlbertMingXu commented Mar 28, 2024
edited
Loading

Workaround:

  1. Login the AWS console where the CLO solution is deployed
  2. Choose IAM -> Roles
  3. Search cfnHelper in the textbox
  4. Choose the results, e.g. clo-APICfnFlowCfnHelperServiceRole6E635C-111CLC116X
  5. Create a inline policy, the statement as the following
    { "Action": [ "iam:TagRole" ], "Resource": [ "arn:aws:iam::{your account}:role/CL*", "arn:aws:iam::{your account}:role/aws-service-role/custom-resource.application-autoscaling.amazonaws.com/*", "arn:aws:iam::{your account}:policy/CL*", "arn:aws:iam::{your account}:instance-profile/CL*", "arn:aws:iam::{your account}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling", "arn:aws:iam::{your account}:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing", "arn:aws:iam::{your account}:role/aws-service-role/ecs.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_ECSService", "arn:aws:iam::{your account}:role/*-PipelineResourcesBuilderRole-*" ], "Effect": "Allow" }

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
Centralized Logging with OpenSearch Roadmap
Status: V2.3.0(Jul. 2024)
Milestone
No milestone
Development

No branches or pull requests
1 participant
@AlbertMingXu