Page URL
https://docs.netapp.com/us-en/console-setup-admin/reference-permissions-aws.html
Page title
AWS permissions for the Console agent
Summary
When trying to deploy a Multi-AZ CVO-HA from NetApp Console in AWS we can see in the logs that a permission is missing. From server.log:
2026-04-07 15:54:22,093 UTC ERROR [Create Aws Ha Working Environment] [xxxxxxxx] [JjRIfCLnrj ] [xxxxxxxx ] (oncloud-akka.actor.default-dispatcher-21) [AwsHaCreateFlowExecutor:120] Failed creating instance profile resources com.netapp.oncloud.modules.operations.aws.AwsStackOperations$StackCreationFailedWithMessageException: The following resource(s) failed to create: [IamInstanceRole]. Resource handler returned message: "Encountered a permissions error performing a tagging operation, please add required tag permissions. See https://repost.aws/knowledge-center/cloudformation-tagging-permission-error for how to resolve. Resource handler returned message: "User: arn:aws:sts::xxxxxx:assumed-role/xxxxxxxx/i-xxxxxxxxis not authorized to perform: iam:TagRole on resource: arn:aws:iam::xxxxxxxx:role/cvo-instance-profile-version10-b95f-IamInstanceRole-vJ9T8t1roghs because no identity-based policy allows the iam:TagRole action (Service: Iam, Status Code: 403, Request ID: xxxxxxxx) (SDK Attempt Count: 1)"" (RequestToken: xxxxxxxx, HandlerErrorCode: UnauthorizedTaggingOperation)
Support team advised that that permission was needed. After adding iam:TagRole (and making no other changes) the deployment was successful.
Please add iam:TagRole to Policy 1.
Public issues must not contain sensitive information
Page URL
https://docs.netapp.com/us-en/console-setup-admin/reference-permissions-aws.html
Page title
AWS permissions for the Console agent
Summary
When trying to deploy a Multi-AZ CVO-HA from NetApp Console in AWS we can see in the logs that a permission is missing. From server.log:
2026-04-07 15:54:22,093 UTC ERROR [Create Aws Ha Working Environment] [xxxxxxxx] [JjRIfCLnrj ] [xxxxxxxx ] (oncloud-akka.actor.default-dispatcher-21) [AwsHaCreateFlowExecutor:120] Failed creating instance profile resources com.netapp.oncloud.modules.operations.aws.AwsStackOperations$StackCreationFailedWithMessageException: The following resource(s) failed to create: [IamInstanceRole]. Resource handler returned message: "Encountered a permissions error performing a tagging operation, please add required tag permissions. See https://repost.aws/knowledge-center/cloudformation-tagging-permission-error for how to resolve. Resource handler returned message: "User: arn:aws:sts::xxxxxx:assumed-role/xxxxxxxx/i-xxxxxxxxis not authorized to perform: iam:TagRole on resource: arn:aws:iam::xxxxxxxx:role/cvo-instance-profile-version10-b95f-IamInstanceRole-vJ9T8t1roghs because no identity-based policy allows the iam:TagRole action (Service: Iam, Status Code: 403, Request ID: xxxxxxxx) (SDK Attempt Count: 1)"" (RequestToken: xxxxxxxx, HandlerErrorCode: UnauthorizedTaggingOperation)
Support team advised that that permission was needed. After adding iam:TagRole (and making no other changes) the deployment was successful.
Please add iam:TagRole to Policy 1.
Public issues must not contain sensitive information