AWS IAM role does not exist or is not attachable-CodePudding

I encountered the following error when launching an AWS VPC from the command line interface following a quickstart guide here.

Commands used:

git clone https://github.com/aws-quickstart/quickstart-aws-biotech-blueprint-cdk.git
cd quickstart-aws-biotech-blueprint-cdk
npm install
npm run build
cdk bootstrap
npm run build && cdk deploy

Error message:

AwsBiotechBlueprint: creating CloudFormation changeset...
11:38:13 AM | CREATE_FAILED        | AWS::IAM::Role                                   
| ConfigEnabledPr
omi...corderRoleFC6F886B
Policy arn:aws:iam::aws:policy/service-role/AWSConfigRole does not exist or is not 
attachable. (Service
: AmazonIdentityManagement; Status Code: 404; Error Code: NoSuchEntity; Request ID: 
f03b794e-7aa5-4f24-
899e-2aefaa6e8fb3; Proxy: null)

I am using an IAM user (not Root) and the error appears to indicate that "AWSConfigRole" policy is not associated with my user. To correct this error I added the "AWSConfigRole" permissions through the IAM management console via my web browser.

Unfortunately when I rerun the steps in the quickstart I still encounter the exact same error.

How can I ensure the updated permissions from the IAM management console are being properly communicated to the command line interface?

CodePudding user response：

I still encounter the exact same error.

Because this policy should be setup for IAM role for Config service to assume, not your IAM user. Also AWSConfigRole policy has been long depricated. Now you should be using AWS_ConfigRole instead explaining why it can't be used anymore.

It seems that the template you are deploying is old and not up to date. Its better to make an issue about this to the devs of the template, as they should update it.