Start a conversation Sign in
Start a conversation
  1. CloudFix Support
  2. CloudFix - Troubleshooting
  3. Articles

Fix CloudFix Auto‑Approval Access (Change Manager)


Problem

CloudFix is unable to auto-approve Change Manager templates. Recommendations remain in the “Suggested” state because the cloudfix-fixer-approver-role fails to assume properly — returning an AccessDenied error.

This typically indicates a misconfiguration in the IAM role trust policy or a mismatch in the ExternalId.

Symptoms

  • Fixer recommendations remain stuck in the "Suggested" state.

  • CloudFix logs show AccessDenied when assuming cloudfix-fixer-approver-role.

Cause

One or more of the following conditions may be true:

  • The sts:ExternalId in the trust policy does not match your CloudFix tenant’s ExternalId.

  • The trust policy is missing required trusted principals.

  • A Service Control Policy (SCP) is blocking sts:AssumeRole.

Resolution

Step 1: Check the Trust Policy of cloudfix-fixer-approver-role

Ensure the trust policy includes:

  • The correct ExternalId:

    "Condition": {  "StringEquals": {    "sts:ExternalId": "<your-external-id>"  } }

  • The correct trusted principals (adjust for resource suffixes if applicable):

    "Principal": {  "AWS": [    "arn:aws:iam::061081614506:role/cloudfix-finder-role-assume",    "arn:aws:iam::061081614506:role/cloudfix-finder-cur-role-assume"  ] }

    Example complete trust policy:

    {  "Version": "2012-10-17",  "Statement": [    {      "Effect": "Allow",      "Principal": {        "AWS": [          "arn:aws:iam::061081614506:role/cloudfix-finder-role-assume",          "arn:aws:iam::061081614506:role/cloudfix-finder-cur-role-assume"        ]      },      "Action": "sts:AssumeRole",      "Condition": {        "StringEquals": {          "sts:ExternalId": "<your-external-id>"        }      }    }  ] }

Step 2: Check for SCPs (Service Control Policies)

Ensure no organization-level SCPs are denying the sts:AssumeRole action for the CloudFix principals.

Alternate Fix

If unsure about the current trust policy or ExternalId:

  • Option A: Manually update the trust policy using the example above.

  • Option B: Redeploy the CloudFix IAM roles (Stack/StackSet) using the correct ExternalId (found in the Parameters section of the CloudFormation template). This will reset the trust configuration to the recommended defaults.

After Fixing

Once the trust policy and ExternalId are correctly configured, and no SCPs block access, CloudFix will be able to auto-approve recommendations. Fixes will proceed automatically after approval.


Choose files or drag and drop files
Was this article helpful?
Yes
No

  1. Bill Gleeson

  2. Posted

Comments