Skip to main content
NetApp Knowledge Base

BlueXP AWS CVO create - subtask "Create Cloud Formation Stack" for AWS S3 fails with error "no identity-based policy allows the iam:TagRole"

  1. Last updated
  2. Save as PDF
Views:
123
Visibility:
Public
Votes:
0
Category:
cloud-manager
Specialty:
netapp_console
Last Updated:

Applies to

  • Amazon Web Service (AWS)
  • Cloud Volumes ONTAP (CVO) deployment
  • High Availability (HA) and single node
  • Simple Storage Service (S3) used for Fabricpool or CBS
  • Cloud Backup Service (CBS)

Issue

BlueXP AWS CVO create with AWS S3 for either fabricpool or CBS or both - subtask "Create Cloud Formation Stack" for AWS S3 fails with error "no identity-based policy allows the iam:TagRole"
 
Error:
 
BlueXP Timeline:
 
Create VSA Environment:
Aug 26 2024, 5:23:38 pm
Create Cloud Formation Stack
failed

cvo-instance-profile-version10-f21de2f5-63be-11ef-a3f3-7ba0fb45a1c4
Aug 26 2024, 5:23:18 pm

Error:

The following resource(s) failed to create: [IamInstanceRole]. Resource handler returned message: "Encountered a permissions error performing a tagging operation, 
please add required tag permissions. See https://repost.aws/knowledge-center/cloudformation-tagging-permission-error for how to resolve. 
Resource handler returned message: "User: arn:aws:sts::69199abcdef6:assumed-role/bluexpCloud-Manager-Operator-Gk0aQL0/i-0b4049d89620868d3 is not authorized to 
perform: iam:TagRole on resource: arn:aws:iam::69199abcdef6:role/cvo-instance-profile-version10-f21d-IamInstanceRole-OiiFvLfNQ15W because no identity-based policy 
allows the iam:TagRole action (Service: Iam, Status Code: 403, Request ID: a0c04413-78a4-456e-ab9a-xxxx)"" (RequestToken: 216aae93-5668-d1ae-1c33-yyy, 
HandlerErrorCode: UnauthorizedTaggingOperation


...

Aug 26 2024, 5:23:18 pm
Create Cloud Formation Stack
success
{
  "name": "cvo-instance-profile-version10-f21de2f5-63be-11ef-a3f3-7ba0fb45a1c4",
  "_result": "arn:aws:cloudformation:us-east-1:691999302746:
  stack/cvo-instance-profile-version10-f21de2f5-63be-11ef-a3f3-7ba0fb45a1c4/1f15a3f0-63bf-11ef-8ed9-0affc143be6f",
  "disableRollback": true,
  "tags": {
    "InstanceProfileResourcesStackName": "cvo-instance-profile-version10-f21de2f5-63be-11ef-a3f3-7ba0fb45a1c4"
  },
  "_region": "us-east-1",
  "templateIsUrl": false,
  "templateName": null,
  "timeout": "15 minutes",
  "parameters": {
    "EC2Endpoint": "ec2.amazonaws.com",
    "FabricPoolBucketName": "fabric-pool-f21de2f5-63be-11ef-a3f3-xxxyyyyyyy",
    "S3ARN": "arn:aws:s3"
  }
}
 
Impacts:
  • CVO create succeeds but no tiering(fabricpool) or CBS to AWS S3 is possible
  • AWS S3 buckets are not displayed on Connector canvas -> storage

Sign in to view the entire content of this KB article.

New to NetApp?

Learn more about our award-winning Support

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.