IAM role and Kinesis stream should belong to the same account

yooouuri · February 6, 2019, 9:46am

serverless.yml

service: infrastructure-service

provider:
  name: aws
  runtime: nodejs8.10
  stage: ${opt:stage, 'dev'}
  stackName: ${self:service}-${self:provider.stage}
  region: eu-central-1

resources:
  Resources:
    ${file(resources.yml)}

resources.yml

KinesisStreamRole:
  Type: AWS::IAM::Role
  Properties:
    RoleName: KinesisStreamRole
    AssumeRolePolicyDocument:
      Statement:
        - Effect: Allow
          Principal:
            Service:
              - kinesis.amazonaws.com
          Action:
            - sts:AssumeRole
    Policies:
      - PolicyName: KinesisStreamPolicy
        PolicyDocument:
          Statement:
            - Effect: Allow
              Action:
                - kinesis:*
              Resource: '*'

KinesisFirehoseS3Role:
  Type: AWS::IAM::Role
  Properties:
    RoleName: KinesisFirehoseS3Role
    AssumeRolePolicyDocument:
      Statement:
        - Effect: Allow
          Principal:
            Service:
              - firehose.amazonaws.com
          Action: sts:AssumeRole
    Policies:
      - PolicyName: KinesisFirehoseS3Policy
        PolicyDocument:
          Statement:
            - Effect: Allow
              Action:
                - s3:AbortMultipartUpload
                - s3:GetBucketLocation
                - s3:GetObject
                - s3:ListBucket
                - s3:ListBucketMultipartUploads
                - s3:PutObject
              Resource: '*'

KinesisStream:
  Type: AWS::Kinesis::Stream
  Properties:
    Name: kinesis-stream-${self:provider.stage}
    ShardCount: 1

KinesisFirehoseBucket:
  Type: AWS::S3::Bucket
  DeletionPolicy: Retain
  Properties:
    BucketName: kinesis-stream-firehose-bucket-${self:provider.stage}

KinesisFirehoseDeliveryStream:
  Type: AWS::KinesisFirehose::DeliveryStream
  Properties:
    DeliveryStreamName: kinesis-stream-firehose-${self:provider.stage}
    DeliveryStreamType: KinesisStreamAsSource
    KinesisStreamSourceConfiguration:
      KinesisStreamARN:
        Fn::Join:
          - ''
          - - 'arn:aws:kinesis:::'
            - Ref: KinesisStream
      RoleARN: { Fn::GetAtt: [ KinesisStreamRole, Arn ] }
    S3DestinationConfiguration:
      BucketARN:
        Fn::Join:
          - ''
          - - 'arn:aws:s3:::'
            - Ref: KinesisFirehoseBucket
      BufferingHints:
        IntervalInSeconds: 60
        SizeInMBs: 1
      CompressionFormat: 'UNCOMPRESSED'
      RoleARN: { Fn::GetAtt: [ KinesisFirehoseS3Role, Arn ] }

I am trying to create a Kinesis stream, with Firehose and a S3 bucket.

The follow errr occur:

An error occurred: KinesisFirehoseDeliveryStream - IAM role and Kinesis stream should belong to the same account. (Service: AmazonKinesisFirehose; Status Code: 400; Error Code: InvalidArgumentException; Request ID: xxxxxxxxxxx).

Can somebody tell me what’s going wrong?

ewillis489 · February 28, 2019, 12:22am

Hi yoouuri,

I’m getting the same error as well when trying to do the same thing.

You figure this out? Or still stuck too?

pengyue · July 3, 2020, 12:34am

I also have the same issue with the same yaml above, anyone has a solution? thanks!

Topic		Replies	Views
Creating a Kinesis Firehose Stream in Serverless YAML with IamRoleLambdaExecution Role Serverless Framework	3	7967	December 4, 2019
Kinesis Lambda execution role Serverless Framework	3	4027	September 30, 2016
Accessing Resources Across Accounts Serverless Framework lambda , iam	0	622	June 2, 2021
Problem with generated IAM Roles Serverless Framework aws , lambda	0	1638	February 22, 2018
Lambda logs -> Kinesis via CloudWatch Logs subscription Serverless Framework aws	1	2719	February 10, 2017

IAM role and Kinesis stream should belong to the same account

Related topics