AWS CloudFormation Rollback Failure When Updating IAM Roles for Lambda Functions
I'm trying to update my AWS Lambda function to grant it additional permissions via an IAM role change in my CloudFormation template. However, the stack update fails with the error message `Resource update cancelled` and rolls back all changes. The CloudFormation events log shows `The following resource(s) failed to update: [MyLambdaFunction].` Here is the relevant part of my CloudFormation template: ```yaml Resources: MyLambdaFunction: Type: 'AWS::Lambda::Function' Properties: FunctionName: MyFunction Handler: index.handler Role: !GetAtt MyLambdaRole.Arn Code: S3Bucket: mybucket S3Key: myfunction.zip Runtime: python3.8 MyLambdaRole: Type: 'AWS::IAM::Role' Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: lambda.amazonaws.com Action: sts:AssumeRole Policies: - PolicyName: MyLambdaPolicy PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - s3:GetObject Resource: arn:aws:s3:::mybucket/* ``` When I try to update the role to add permissions for writing to another S3 bucket, the update fails. I've also checked that the policies are valid and that the Lambda service has the necessary permissions to assume the role. I've tried commenting out the IAM role change to see if the rest of the stack would update successfully, and it does, but as soon as the IAM role modification is included, it fails again. Does anyone have insights on how to troubleshoot this rollback or how to properly structure the IAM role so that it can be updated without causing the entire stack to fail? Any tips on best practices for managing IAM roles in CloudFormation would also be appreciated. I'm currently using CloudFormation version 1.0 and deploying through the AWS Management Console.