Firehose Deployment Contradiction; RoleARN cannot be empty; Encountered unsupported Property RoleARN

Trying to create a Firehose Delivery Stream with this resource definition;

    SignatureFirehose:
          Type: AWS::KinesisFirehose::DeliveryStream
          Properties:
            DeliveryStreamName: ${self:service}-signature-firehose-${self:provider.stage}
            DeliveryStreamType: KinesisStreamAsSource
            KinesisStreamSourceConfiguration:
              KinesisStreamARN:
                Fn::GetAtt: [SignatureStream, Arn]
            S3DestinationConfiguration:
              BucketARN:
                Fn::GetAtt: [S3Store, Arn]
              BufferingHints:
                IntervalInSeconds: 300
                SizeInMBs: 5
              CompressionFormat: GZIP
              EncryptionConfiguration:
                KMSEncryptionConfig:
                  AWSKMSKeyARN: 'alias/aws/kinesis'
              Prefix: "fh/"
            RoleARN: # Note, nested directly under 'Properties'
              Fn::GetAtt: [FirehoseDelegateRole, Arn]

However, when I fire this up, I get An error occurred: SignatureFirehose - Encountered unsupported property RoleARN

So if i indent the RoleARN so that it’s a child of the S3 Config, I get this helpful little fella

An error occurred: SignatureFirehose - Property RoleARN cannot be empty..

What am I missing!?

For the record this is the FirehoseDelegateRole

    FirehoseDelegateRole:
      Type: AWS::IAM::Role
      Properties:
        RoleName: ${self:service}-fhdelegate
        AssumeRolePolicyDocument:
          Version: '2012-10-17'
          Statement:
            - Effect: Allow
              Principal:
                Service:
                  - firehose.amazonaws.com
              Action: sts:AssumeRole
        Policies:
          - PolicyName: ${self:service}-fhdelegate
            PolicyDocument:
              Version: '2012-10-17'
              Statement:
                - Effect: Allow
                  Action:
                    - s3:ListAllMyBuckets
                    - s3:GetBucketLocations
                  Resource: '*'
                - Effect: Allow
                  Action:
                    - s3:ListBucket
                  Resource:
                    - "arn:aws:s3:::*/**"
                - Effect: Allow
                  Action:
                    - s3:GetObject
                  Resource:
                    - "arn:aws:s3:::*/**"

So, turns out I was completely reading the error messages incorrectly and what was actually happening was that both the s3 destination config and the kinesis event stream config need their own access roles but the error messages don’t go any ‘deeper’ than the top level resource :man_facepalming: