[SOLVED] Role is not authorized to perform DescribeStream on KinesisStream

Role is not authorized to perform DescribeStream on KinesisStream

I have 2 policies each for S3 and Kinesis stream which includes DescribeStream. The S3 policy works well but I am getting this error with KinesisPolicy.

Resources:

S3
KinesisStream
Firehose

Role:

FirehoseRole

Policies:

S3 policy with the following permissions:

      - 's3:AbortMultipartUpload'
      - 's3:GetBucketLocation'
      - 's3:GetObject'
      - 's3:ListBucket'
      - 's3:ListBucketMultipartUploads'
      - 's3:PutObject'

Kinesis Policy with the following permissions:

      - 'kinesis:PutRecord'
      - 'kinesis:DescribeStreamSummary'
      - 'kinesis:PutRecords'
      - 'kinesis:GetShardIterator'
      - 'kinesis:GetRecords'
      - 'kinesis:DescribeStream'

Error:

The role (firehoseRole) is not authorized to perform DescribeStream on MyKinesisStream.

Cloud formation template

Resources:
  S3Bucket:
    Type: AWS::S3::Bucket
    Properties:
      VersioningConfiguration:
        Status: Enabled

 firehoseRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Sid: ''
            Effect: Allow
            Principal:
              Service: firehose.amazonaws.com
            Action: 'sts:AssumeRole'
            Condition:
              StringEquals:
                'sts:ExternalId': !Ref 'AWS::AccountId'

  DeliveryPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: firehose_delivery_policy
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Action:
              - 's3:AbortMultipartUpload'
              - 's3:GetBucketLocation'
              - 's3:GetObject'
              - 's3:ListBucket'
              - 's3:ListBucketMultipartUploads'
              - 's3:PutObject'
            Resource:
              - !Sub 'arn:aws:s3:::${S3Bucket}'
              - !Sub 'arn:aws:s3:::${S3Bucket}*'
      Roles:
        - !Ref firehoseRole

  KinesisPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: kinesis_policy
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Action: 
              - 'kinesis:PutRecord'
              - 'kinesis:DescribeStreamSummary'
              - 'kinesis:PutRecords'
              - 'kinesis:GetShardIterator'
              - 'kinesis:GetRecords'
              - 'kinesis:DescribeStream'
            Resource:
              - !GetAtt MyKinesisStream.Arn
      Roles:
        - !Ref firehoseRole

  MyKinesisStream:
    Type: AWS::Kinesis::Stream
    Properties: 
      ShardCount: 1

  DeliveryStream:
    Type: AWS::KinesisFirehose::DeliveryStream
    Properties:
      DeliveryStreamType: KinesisStreamAsSource
      KinesisStreamSourceConfiguration:
        KinesisStreamARN: !GetAtt MyKinesisStream.Arn
        RoleARN: !GetAtt firehoseRole.Arn
      S3DestinationConfiguration:
        BucketARN: !GetAtt S3Bucket.Arn
        BufferingHints:
          IntervalInSeconds: 60
          SizeInMBs: 50
        CompressionFormat: UNCOMPRESSED
        Prefix: firehose/
        RoleARN: !GetAtt firehoseRole.Arn

Solution

I was able to resolve the error. I had to add DependsOn To DeliveryStream and include both the policies.