Skip to content

SIGSEGV when deleting a stackset configured with an execution role that cannot be assumed #770

Open
Open
SIGSEGV when deleting a stackset configured with an execution role that cannot be assumed#770
@dhx-mike-palandra

Description

@dhx-mike-palandra
dhx-mike-palandra
opened on Mar 12, 2026

Notes

  1. All files referenced in terminal transcript below have been pasted inline due to an error when attaching files.
  2. To reproduce, replace (artificial) account number 123412341234 with a valid one in partition aws.
  3. No error when value of parameter ExecutionRoleEffect is set to Allow.

Terminal transcript

$ rain --version
Rain v1.24.3 linux/amd64

$ rain deploy --params ExecutionRoleEffect=Deny -y ./StackSetRoles.yaml
Deploying template 'StackSetRoles.yaml' as stack 'StackSetRoles' in us-east-1.
Stack StackSetRoles: CREATE_COMPLETE
Successfully deployed StackSetRoles

$ rain stackset deploy --accounts 123412341234 --regions us-east-1 ./SnsTopic.yaml
Stack set has been created successfuly with ID: SnsTopic:d374c3f6-8cb8-400d-9547-2e45111469c8
Submitted CREATE instances operation with ID: 4886a518-56ca-4916-8b3b-c652c4344be7
Stack set operation resulted with state: FAILED
Stack set instances have been created successfully

$ rain --debug stackset rm SnsTopic
DEBUG: Deleting stack set: SnsTopic

DEBUG: Loading AWS config
DEBUG: Deleting stack set..
DEBUG: Fetching stack set instances for 'SnsTopic'
panic: runtime error: invalid memory address or nil pointer dereference [recovered, repanicked]
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x11042ad]

goroutine 1 [running]:
github.com/aws-cloudformation/rain/internal/cmd.execute.func1()
	/__w/rain/rain/internal/cmd/wrap.go:77 +0x152
panic({0x1287a00?, 0x2834a50?})
	/usr/local/go/src/runtime/panic.go:860 +0x13a
github.com/aws-cloudformation/rain/internal/cmd/stackset.getStackInstances({0x7ffd040a888f, 0x8})
	/__w/rain/rain/internal/cmd/stackset/stackset_rm.go:103 +0x48d
github.com/aws-cloudformation/rain/internal/cmd/stackset.init.func3(0x2d0e30793c00?, {0x2d0e30b093a0?, 0x4?, 0x13d96e5?})
	/__w/rain/rain/internal/cmd/stackset/stackset_rm.go:44 +0x22e
github.com/spf13/cobra.(*Command).execute(0x284fe20, {0x2d0e30b09380, 0x2, 0x2})
	/go/pkg/mod/github.com/spf13/cobra@v1.10.1/command.go:1019 +0xafb
github.com/spf13/cobra.(*Command).ExecuteC(0x284b080)
	/go/pkg/mod/github.com/spf13/cobra@v1.10.1/command.go:1148 +0x465
github.com/spf13/cobra.(*Command).Execute(...)
	/go/pkg/mod/github.com/spf13/cobra@v1.10.1/command.go:1071
github.com/aws-cloudformation/rain/internal/cmd.execute(0x2d0e30840068?)
	/__w/rain/rain/internal/cmd/wrap.go:86 +0x4d
github.com/aws-cloudformation/rain/internal/cmd.Execute(0x2d0e3079a1e0?)
	/__w/rain/rain/internal/cmd/wrap.go:95 +0x13
main.main()
	/__w/rain/rain/cmd/rain/main.go:23 +0x1a

StackSetRoles.yaml

AWSTemplateFormatVersion: "2010-09-09"

Parameters:
  ExecutionRoleEffect:
    Description: rain stack trace when set to Deny
    Type: String
    AllowedValues:
      - Allow
      - Deny
    Default: Allow

Resources:
  AdminRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service: cloudformation.amazonaws.com
            Action: sts:AssumeRole
            Condition:
              ArnLike:
                aws:SourceArn: !Sub arn:${AWS::Partition}:cloudformation:*:${AWS::AccountId}:stackset/*
      Policies:
        - PolicyName: main
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action: sts:AssumeRole
                Resource: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/AWSCloudFormationStackSetExecutionRole
      RoleName: AWSCloudFormationStackSetAdministrationRole

  ExecutionRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: !Ref ExecutionRoleEffect
            Principal:
              AWS: !GetAtt AdminRole.Arn
            Action: sts:AssumeRole
      ManagedPolicyArns:
        - !Sub arn:${AWS::Partition}:iam::aws:policy/AWSCloudFormationFullAccess
        - !Sub arn:${AWS::Partition}:iam::aws:policy/AmazonSNSFullAccess
      RoleName: AWSCloudFormationStackSetExecutionRole

SnsTopic.yaml

AWSTemplateFormatVersion: 2010-09-09

Description: Generated by rain

Resources:
  Topic:
    Type: AWS::SNS::Topic
    Properties: {}

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions