roleArn
The ARN of the IAM role that you want the delivery stream to use to create endpoints in the destination VPC. You can use your existing Firehose delivery role or you can specify a new role. In either case, make sure that the role trusts the Firehose service principal and that it grants the following permissions:
ec2:DescribeVpcsec2:DescribeVpcAttributeec2:DescribeSubnetsec2:DescribeSecurityGroupsec2:DescribeNetworkInterfacesec2:CreateNetworkInterfaceec2:CreateNetworkInterfacePermissionec2:DeleteNetworkInterface
When you specify subnets for delivering data to the destination in a private VPC, make sure you have enough number of free IP addresses in chosen subnets. If there is no available free IP address in a specified subnet, Firehose cannot create or add ENIs for the data delivery in the private VPC, and the delivery will be degraded or fail.