Error "Couldn't Assume/Create SSM SLR" when executing a recommendations


This article outlines the steps to resolve the error "Couldn't assume/create SSM SLR" that some users may encounter when CloudFix fails to execute a recommendation. The error is typically due to a lack of proper permissions in the IAM role attempting to execute the change.


When attempting to implement cost-saving recommendations in CloudFix, you may encounter the following error message:

Failed to schedule runbook after step approved. Invalid permissions: Couldn't assume/create SSM SLR, check permissions for the calling identity.

This error usually occurs when the role executing the change is not authorized to perform iam:CreateServiceLinkedRole due to an implicit deny in the role's permission policies.

To fix this issue, you can adjust the permissions via AWS CLI or Systems Manager Console:

Using AWS CLI:

  1. Open your Management Account via AWS CloudShell / AWS CLI.
  2. Run the following command: aws iam create-service-linked-role --aws-service-name --region <your_region>

Using the Systems Manager Console:

  1. Open the Systems Manager console.
  2. On the left menu, select "Quick Start".
  3. Identify and select the configuration with type "Change Manager".
  4. Select Actions > Edit Configuration.
  5. Under "Permissions to request and make changes", add permissions for iam:CreateServiceLinkedRole to the policy, save and deploy this change.

After making the above changes, please give it some time for CloudFix to re-evaluate this opportunity as still valid and make it available to you again in the portal for another execution.



Article is closed for comments.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request