Firehose is unable to assume role

About

Asked 25/4, 2019 at 17:6 Answered 25/4, 2019 at 20:3

Solved javascript amazon-web-services amazon-iam amazon-kinesis-firehose

I'm trying to use Firehose API (JS) and I keep getting the following error:

"InvalidArgumentException: Firehose is unable to assume role arn:aws:iam::XXXXXXXXXX:role/NAME. Please check the role provided.

I check the role and I have set my custom policy to include all resources for STS and Firehose action. I have no clue why this error exists if I'm allowing AssumeRole under STS.

Method Calling

The method I'm using is createDeliveryStream(params = {}, callback) with S3DestinationConfiguration.

Policy JSON

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "iam:*",
                "kinesisvideo:*",
                "s3:PutAccountPublicAccessBlock",
                "s3:GetAccountPublicAccessBlock",
                "s3:ListAllMyBuckets",
                "s3:*",
                "firehose:*",
                "sts:*",
                "s3:HeadBucket"
            ],
            "Resource": "*"
        }
    ]
}

Bename answered 25/4, 2019 at 17:6 Comment(7)

It would be far easier to answer if you actually showed the role in your question. But I suspect that you're missing the Principal element. – Extinctive 25/4, 2019 at 17:31

I agree I will update that soon. AWS Console is down. I Agree with you, I try to set principle but it gives me some error which I will also update that as well. – Bename 25/4, 2019 at 17:32

@Extinctive Updated. – Bename 25/4, 2019 at 19:3

Can you check the trust relationship defined in the IAM role and verify that it is set to firehose.amazonaws.com? – Lindbom 25/4, 2019 at 19:39

@Lindbom Thank you so much. That resolved the issue. I will accept your answer. – Bename 25/4, 2019 at 19:43

Cool, I will type that up. Glad to help – Lindbom 25/4, 2019 at 19:56

I barely see any doc for this. – Bename 25/4, 2019 at 19:56

Please check the trust relationship defined in the IAM role and verify that it is set to firehose.amazonaws.com. Policy defined in Trust relationship enables services to assume the role. For Kinesis Firehose, refer this document which contains details about IAM roles for Firehose. Refer "Grant Kinesis Data Firehose Access to an Amazon S3 Destination" section in the document which mentions about trust policy.

Lindbom answered 25/4, 2019 at 20:3 Comment(0)

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Method Calling

Policy JSON

Recommended topics

Hot tags