Login/Register
Unable to delete cfn stack, role is invalid or cannot be assumed
Asked Answered
Solved amazon-web-servicesaws-cloudformationaws-codepipelineaws-codecommit
D

11

63

I'm new to aws cloudformation; I'm wondering if anybody knows of a way to force delete a stack when it just won't delete. It fails with this error: 

Failed to delete stack: Role arn:aws:iam::role/CloudFormationRole-NestedCFN-CodePipeline is invalid or cannot be assumed

This error usually happens when I try to delete a nested child stack instead of starting by deleting the parent stack first. Is there any way to delete the nested stack if I accidentally deleteted the parent stack?

Deniable answered 9/2, 2018 at 15:46 Comment(0)
E
73

I've had this problem a few times. The solution is a bit of a hack. In your case, you need to create a new role named CloudFormationRole-NestedCFN-CodePipeline. When you create this role, you'll likely need to select the CloudFormation service when it asks you to Choose the service that will use this role and then Attach permissions policies. Once the role is created, try to delete the stack again.
Some of this is a guessing game because you need to choose the correct resource (i.e. AWS service) that is a "trusted entity". Based on your role name, it's either CloudFormation or CodePipeline.

After you delete the CloudFormation stack, you can delete the IAM role you just created.

The reason you get this error is because you probably deleted a CloudFormation stack that has an IAM role that's being used by the stack you're trying to delete.

I wish there was a more elegant solution from AWS but this was my workaround.

Ethel answered 12/2, 2018 at 14:56 Comment(2)
Thanks very much, the hack worked for me! The other suggested solutions below didn't quite work but thanks for helping me out everyone!Deniable
thanks, this is not a hack but a good solution. As you mentioned its most likely because the IAM role required to delete the stack has been accidentally deletedDecile
C
95

I got the same problem and the only way to delete the stack was using the AWS CLI and executing the following command:

aws cloudformation delete-stack --role-arn arn:aws:iam::xxxx:role/anyrolewithpermissions --stack-name StuckStack

just be sure to use another role with enough permissions.

Component answered 16/2, 2018 at 7:21 Comment(10)
I would upvote this twice if I could. Helped me every time.Guyot
This helped me when creating the a role of the same name as the deleted role did not.Groundmass
This helped me big time. I was trying to delete a nested stack but kept getting role is invalid or cannot be assumed even after creating new roles. I created a cloudformation-admin role with enough permissions to delete items in the stack and this command worked. Thanks.Nicholenicholl
Excellent. Thank you. The 'official' method (aws.amazon.com/premiumsupport/knowledge-center/…) did not work for me. It's so hacky... hard to believe they documented it instead of coming up with a way to do this in the console.Septum
there is a slightly clearer article on the knowledge center now aws.amazon.com/premiumsupport/knowledge-center/…Emit
Simple solution that works perfectly fine!Wilder
Make sure to replace xxxx with your account id and anyrolewithpermission with a valid role with the required permission. If you don't know what permissions are required, just create a new temporary role with admin permissions.Vermicide
Four years have passed, this is still the best solution!Biflagellate
I can't believe how easy is this solution after struggling for two years to create referred roles manually.Oday
Mwah xxxxxxxxxxxDiggins
E
73

I've had this problem a few times. The solution is a bit of a hack. In your case, you need to create a new role named CloudFormationRole-NestedCFN-CodePipeline. When you create this role, you'll likely need to select the CloudFormation service when it asks you to Choose the service that will use this role and then Attach permissions policies. Once the role is created, try to delete the stack again.
Some of this is a guessing game because you need to choose the correct resource (i.e. AWS service) that is a "trusted entity". Based on your role name, it's either CloudFormation or CodePipeline.

After you delete the CloudFormation stack, you can delete the IAM role you just created.

The reason you get this error is because you probably deleted a CloudFormation stack that has an IAM role that's being used by the stack you're trying to delete.

I wish there was a more elegant solution from AWS but this was my workaround.

Ethel answered 12/2, 2018 at 14:56 Comment(2)
Thanks very much, the hack worked for me! The other suggested solutions below didn't quite work but thanks for helping me out everyone!Deniable
thanks, this is not a hack but a good solution. As you mentioned its most likely because the IAM role required to delete the stack has been accidentally deletedDecile
D
24

This usually happens when a role required to delete the stack has been accidentally deleted. You may get the error message

Role arn:aws:iam::<account>:role/<role name> is invalid or cannot be assumed

Go to IAM > roles > create role > click on cloudformation for the service > make sure you give it the right permissions so that cloudformation can delete the stack. (In my case I gave it admin permissions because I was planning to delete the role straight after I deleted the stack > for Role name use the same role name in the error message.

You should now be able to delete the stack

Decile answered 2/4, 2021 at 20:51 Comment(1)
"make sure you give it the right permissions so that cloudformation can delete the stack" ... what's the name of the permissions needed to delete stacks? There is literally 34 pages each containing around 20 policies.Constable
S
11

In my case I had such error

Role arn:aws:iam::729248252823:role/cdk-hnb659fds-cfn-exec-role-729248252823-eu-central-1 is invalid or cannot be assumed

I fixed this problem by following next steps:

  1. Go to IAM
  2. Select Roles
  3. Click Create Role
  4. Make sure the AWS Service (Trusted entity type) is selected
  5. In the dropdown menu on the same page where you can select services select CloudFormation service
  6. Click Next
  7. From the permissions policies list select AdministratorAccess
  8. Click Next
  9. In the role details page provide a name of the role copied from the error message. In my case it's cdk-hnb659fds-cfn-exec-role-729248252823-eu-central-1
  10. Click Create Role
  11. Done

You can now go to the CloudFormation page and try deleting the stack again.

Should work!

Selfexamination answered 29/1 at 3:8 Comment(0)
V
3

This generally occurs in case of nested stacks. Simply create a role with the same name and grant full administrator access permission to the role.With this permission power the role will be able to delete the stack. Delete the role after successful stack deletion

Volva answered 4/9, 2019 at 11:55 Comment(1)
This was the only solution that worked for me.Crossbreed
S
0

Unfortunately there is no way to force delete a CF Stack.

Couple of things that you can try:

  1. Delete the conflicting resource manually and then re-initiate stack deletion.
  2. Delete the conflicting resource from the CF template and update the Stack with it.
Sarene answered 9/2, 2018 at 21:45 Comment(0)
J
0

In my case, I deleted the pipeline that created the stack(s) and this removed the Role used by the stack.

Option 1) Role up another pipeline from the pipeline stack, then "update" the stack you can't delete, but tell it to use the new role created by the pipeline. Then delete the stack (even if update fails, the new role is still in play, and you can delete).

Option 2) Create a role matching the role you have deleted (in my case it was as below) and then update stack using this role, then delete.

CloudformationServiceRole:
  Type: AWS::IAM::Role
  Properties:
    AssumeRolePolicyDocument:
      Statement:
      - Action:
        - sts:AssumeRole
        Effect: Allow
        Principal:
          Service:
          - cloudformation.amazonaws.com
      Version: '2012-10-17'
    Path: "/"
    Policies:
      - PolicyName: DeployCloudformationStack
        PolicyDocument:
          Version: '2012-10-17'
          Statement:
          - Resource: "*"
            Effect: Allow
            Action:
            - "*"

There may be other repairs to do afterwards !

Jehiel answered 26/8, 2018 at 13:30 Comment(0)
S
0

An easier way to solve this issue is to use a change set. The following steps can be followed

  1. Create a role with the correct rights
  2. Select the stack you wish to delete and create change set
  3. In the change set, use the existing template, navigate through the wizard but change the IAM role it uses
  4. Then create and execute the change set.

Then you can delete the stack accordingly

Scamander answered 21/12, 2018 at 14:23 Comment(0)
U
0

For those who may have missed this, i found deleting the CDKToolkit stack and running cdk boostrap again fixed this issue for me.

Unipod answered 12/2, 2023 at 22:12 Comment(0)
S
0

it's a role problem, even if the user has the right policies you might do the following:

  1. Open the IAM console.
  2. In the navigation pane, choose Roles.
  3. In the Role name column, choose the IAM role that's mentioned in the error message that you received.

If the roles doesn't exist:

  1. Create a new IAM role (CloudFormationFullAccess)

  2. Confirm that the new IAM role has the required permissions for AWS CloudFormation to perform create, update, or delete operations on resources in your stack.

then try

aws cloudformation delete-stack --stack-name YourStackName --role-arn arn:aws:iam::XXXXX:role/CloudFormationFullAccess (or the role name assigned)

Complete article about the issue

Soinski answered 7/12, 2023 at 3:9 Comment(0)
A
0

Accidental deletion caused my same issue. Recreate role -> gave admin access temporarily -> deleted stacks and removed role. This got it sorted.

Aspirant answered 8/6 at 16:57 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.