IAM role and Kinesis stream should belong to the same account

aws

#1

serverless.yml

service: infrastructure-service

provider:
  name: aws
  runtime: nodejs8.10
  stage: ${opt:stage, 'dev'}
  stackName: ${self:service}-${self:provider.stage}
  region: eu-central-1

resources:
  Resources:
    ${file(resources.yml)}

resources.yml

KinesisStreamRole:
  Type: AWS::IAM::Role
  Properties:
    RoleName: KinesisStreamRole
    AssumeRolePolicyDocument:
      Statement:
        - Effect: Allow
          Principal:
            Service:
              - kinesis.amazonaws.com
          Action:
            - sts:AssumeRole
    Policies:
      - PolicyName: KinesisStreamPolicy
        PolicyDocument:
          Statement:
            - Effect: Allow
              Action:
                - kinesis:*
              Resource: '*'

KinesisFirehoseS3Role:
  Type: AWS::IAM::Role
  Properties:
    RoleName: KinesisFirehoseS3Role
    AssumeRolePolicyDocument:
      Statement:
        - Effect: Allow
          Principal:
            Service:
              - firehose.amazonaws.com
          Action: sts:AssumeRole
    Policies:
      - PolicyName: KinesisFirehoseS3Policy
        PolicyDocument:
          Statement:
            - Effect: Allow
              Action:
                - s3:AbortMultipartUpload
                - s3:GetBucketLocation
                - s3:GetObject
                - s3:ListBucket
                - s3:ListBucketMultipartUploads
                - s3:PutObject
              Resource: '*'

KinesisStream:
  Type: AWS::Kinesis::Stream
  Properties:
    Name: kinesis-stream-${self:provider.stage}
    ShardCount: 1

KinesisFirehoseBucket:
  Type: AWS::S3::Bucket
  DeletionPolicy: Retain
  Properties:
    BucketName: kinesis-stream-firehose-bucket-${self:provider.stage}

KinesisFirehoseDeliveryStream:
  Type: AWS::KinesisFirehose::DeliveryStream
  Properties:
    DeliveryStreamName: kinesis-stream-firehose-${self:provider.stage}
    DeliveryStreamType: KinesisStreamAsSource
    KinesisStreamSourceConfiguration:
      KinesisStreamARN:
        Fn::Join:
          - ''
          - - 'arn:aws:kinesis:::'
            - Ref: KinesisStream
      RoleARN: { Fn::GetAtt: [ KinesisStreamRole, Arn ] }
    S3DestinationConfiguration:
      BucketARN:
        Fn::Join:
          - ''
          - - 'arn:aws:s3:::'
            - Ref: KinesisFirehoseBucket
      BufferingHints:
        IntervalInSeconds: 60
        SizeInMBs: 1
      CompressionFormat: 'UNCOMPRESSED'
      RoleARN: { Fn::GetAtt: [ KinesisFirehoseS3Role, Arn ] }

I am trying to create a Kinesis stream, with Firehose and a S3 bucket.

The follow errr occur:

An error occurred: KinesisFirehoseDeliveryStream - IAM role and Kinesis stream should belong to the same account. (Service: AmazonKinesisFirehose; Status Code: 400; Error Code: InvalidArgumentException; Request ID: xxxxxxxxxxx).

Can somebody tell me what’s going wrong?