Error "Couldn't Assume/Create SSM SLR" when executing a recommendations

Overview

This article outlines the steps to resolve the error "Couldn't assume/create SSM SLR" that some users may encounter when CloudFix fails to execute a recommendation. The error is typically due to a lack of proper permissions in the IAM role attempting to execute the change.

Information

When attempting to implement cost-saving recommendations in CloudFix, you may encounter the following error message:

Failed to schedule runbook after step approved. Invalid permissions: Couldn't assume/create SSM SLR, check permissions for the calling identity.

This error usually occurs when the role executing the change is not authorized to perform iam:CreateServiceLinkedRole due to an implicit deny in the role's permission policies.

To fix this issue, you can adjust the permissions via AWS CLI or Systems Manager Console:

Using AWS CLI:

1. Open your Management Account via AWS CloudShell / AWS CLI.
2. Run the following command: aws iam create-service-linked-role --aws-service-name ssm.amazonaws.com --region <your_region>

Using the Systems Manager Console:

1. Open the Systems Manager console.
2. On the left menu, select "Quick Start".
3. Identify and select the configuration with type "Change Manager".
4. Select Actions > Edit Configuration.
5. Under "Permissions to request and make changes", add permissions for iam:CreateServiceLinkedRole to the policy, save and deploy this change.

After making the above changes, please give it some time for CloudFix to re-evaluate this opportunity as still valid and make it available to you again in the portal for another execution.