Resolve the Role role arn is invalid or cannot be assumed error when I update or delete an AWS CloudFormation stack

From Luniwiki
Jump to: navigation, search

Error

If the stack has been created with a service role and the role has been deleted, this error is raised.

An error occurred (ValidationError) when calling the DeleteStack operation: Role arn:aws:iam::<ACCOUNT>:role/<ROLE_NAME> is invalid or cannot be assumed

Resolution

We need to create a role with permissions to delete resources and override the current role.

Create role

aws iam create-role --role-name RemoveCFN --assume-role-policy-document '{ "Version": "2012-10-17", "Statement": [ { "Sid": "CFN", "Effect": "Allow", "Principal": { "Service": "cloudformation.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }' 
aws iam attach-role-policy --role-name RemoveCFN --policy-arn arn:aws:iam::aws:policy/AdministratorAccess 

RemoveStack role

aws cloudformation delete-stack --stack-name <StackNAME> --role-arn arn:aws:iam::`aws sts get-caller-identity --query Account --output text`:role/RemoveCFN

Remove role

This step is optional

aws iam detach-role-policy --role-name RemoveCFN --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
aws iam delete-role --role-name RemoveCFN

References

Daniel Simao 12:19, 27 March 2023 (EDT)