Hi,
I'm trying to deploy either by using SAM or with AWS Serverless Application Repository with no luck.

I'm using an AWS account with full Owner permissions, however, all the template roles (analyzerRole, optimizerRole, executorRole) failed in CloudFormation with the following error: "API: iam:CreateRole User: arn:aws:sts::xxxxxx:assumed-role/Owner/myemail@domain.com is not authorized to perform: iam:CreateRole on resource: arn:aws:iam::xxxxxx:role/serverlessrepo-aws-lambda-power-tunin-analyzerRole-30U2WSAK4KID with an explicit deny"

The previous events in CloudFormation show:

• LogicalId: analyzerRole, Status reason: Did not have IAM permissions to process tags on AWS::IAM::Role resource.
• LogicalId: executorRole, Status reason: Did not have IAM permissions to process tags on AWS::IAM::Role resource.
• LogicalId: optimizerRole, Status reason: Did not have IAM permissions to process tags on AWS::IAM::Role resource.

Is there any workaround or CloudFormation template suggestion to overcome this issue?

Thanks in advance

Hi @jp-chl, thanks for reporting!

It looks like your role can create IAM roles but lacks permissions to tag IAM roles.

You'll need to enable the tag:TagResource action, as well as iam:ListRoleTags and iam:TagRole (more details here and here).

This is required because SAR automatically tags your IAM Roles with the app version and app id (see screenshot below).

If your role already has full permissions, make sure there isn't any explicit deny somewhere else (for example, in a Service Control Policy at the account level).

Thank you very much!
I've tried with a root account and works well.

Will keep looking in IAM. Thanks!

Great, thanks for the update 🙏

I'm going to close this issue then :)

Let me know if you encounter other issues with IAM, feel free to reopen this issue.