This article outlines the steps to resolve the error "Couldn't assume/create SSM SLR" that some users may encounter when CloudFix fails to execute a recommendation. The error is typically due to a lack of proper permissions in the IAM role attempting to execute the change.
When attempting to implement cost-saving recommendations in CloudFix, you may encounter the following error message:
Failed to schedule runbook after step approved. Invalid permissions: Couldn't assume/create SSM SLR, check permissions for the calling identity.
This error usually occurs when the role executing the change is not authorized to perform
iam:CreateServiceLinkedRole due to an implicit deny in the role's permission policies.
To fix this issue, you can adjust the permissions via AWS CLI or Systems Manager Console:
Using AWS CLI:
- Open your Management Account via AWS CloudShell / AWS CLI.
- Run the following command:
aws iam create-service-linked-role --aws-service-name ssm.amazonaws.com --region <your_region>
Using the Systems Manager Console:
- Open the Systems Manager console.
- On the left menu, select "Quick Start".
- Identify and select the configuration with type "Change Manager".
- Select Actions > Edit Configuration.
- Under "Permissions to request and make changes", add permissions for
iam:CreateServiceLinkedRoleto the policy, save and deploy this change.
After making the above changes, please give it some time for CloudFix to re-evaluate this opportunity as still valid and make it available to you again in the portal for another execution.