Not Authorized Error Deleting CloudFormation Stack

Mar 27, 2023

Whether you actually read my post on setting up pipelines for AWS SAM or you otherwise figured out it is a good idea to use a specific role for your CloudFormation stacks, there is is a good chance you might stumble on the following error when trying to delete a stack:

User: arn:aws:iam::[account ID]:user/sts-role-assumer is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::111111111111:role/RoleAttachedToStackThatNoLongerExists

What most likely happened here is that you used one stack to create the role you want CloudFormation to assume and then created the stack you can no longer delete. Then you deleted the stack that created the CloudFormation role (and therefore deleted the role itself) before you deleted all of the stacks using the role. Never fear! The error above tells you exactly what you need to do. You just need to create a new role with the same name in the same account ("RoleAttachedToStackThatNoLongerExists" in this example) and then grant it the same permissions as your original role.

Now you may have already tried this by recreating a stack with the same template you originally used to create the CloudFormation role. If you did not specify a unique name for the role, then the role will be created with a random suffix and therefore won't match the role name attached to the stack you are trying to delete. You will either need to modify the template to use the exact name as shown in the error, or manually create the role. If you manually create the role, just make sure to delete it after you delete the stack that raised this error.