Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Error when trying to create a Group and User in the same Template

0

Hello, I am fairly new to AWS and Cloudformation,

My issue is that I am trying to create a Cloudformation Template to create a group and then to create a user and add that newly created group to that user, however because the creation of the group takes some time i think Cloudformation "skips" the group creation and wants to create directly the user with the group but that fails and then it returns an error saying something like " Resource handler returned message: "The group with name AWS-TEST cannot be found. (Service: Iam, Status Code: 404,...) ".

Themen
Management & UnternehmensführungDevOps
Tags
AWS CloudFormationDevOpsAWS Kontoverwaltung
Sprache
English
Andre Pereira
gefragt vor 6 Monaten244 Aufrufe
1 Antwort
1
Akzeptierte Antwort

Hello.

How about creating an IAM user after the IAM group is created using "DependsOn" like below?
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-dependson.html

  Group:
    Type: "AWS::IAM::Group"
    Properties:
      GroupName: "custom"
      Path: "/"
      ManagedPolicyArns:
        - "arn:aws:iam::aws:policy/S3FullAccess"

  UserHogehoge:
    DependsOn: Group
    Type: "AWS::IAM::User"
    Properties:
      Path: "/"
      UserName: "hogehoge"
      Groups:
        - !Ref Group
profile picture
EXPERTE
Riku_Kobayashi
beantwortet vor 6 Monaten
  • Andre Pereira
    vor 6 Monaten

    Hello, I had that idea too but it seems as the DependsOn key is not permitted when creating a user, i got the following error the first time i tried it:

    Properties validation failed for resource USRENAME with message: #: extraneous key [DependsOn] is not permitted.

    So for your example it would be:

    Properties validation failed for resource hogehoge with message: #: extraneous key [DependsOn] is not permitted.

  • Riku_Kobayashi EXPERTE
    vor 6 Monaten

    No, you can use "DependsOn". We are seeing successful deployments using the template below. The error you shared can occur if the yaml is mis-indented.

    AWSTemplateFormatVersion: 2010-09-09
Description: test.

Resources:
  Group:
    Type: "AWS::IAM::Group"
    Properties:
      GroupName: "custom"
      Path: "/"
      ManagedPolicyArns:
        - "arn:aws:iam::aws:policy/AmazonS3FullAccess"

  UserHogehoge:
    DependsOn: Group
    Type: "AWS::IAM::User"
    Properties:
      Path: "/"
      UserName: "hogehoge"
      Groups:
        - !Ref Group
  • Andre Pereira
    vor 6 Monaten

    I'm using json format:

    "Parameters": {
"UserPass" : {
            "Type": "String",
            "Description": "Users initial password",
            "Default": "blahblah123"
        },
"TestGroupName" : {
            "Type": "String",
            "Description": "TEST Group Name",
            "Default": "AWS-TEST"
        }
    },

"Resources": {
"GroupTEST":{
            "Type" : "AWS::IAM::Group",
            "Properties" : {
                "GroupName" : {"Ref":"TestGroupName"},
                "ManagedPolicyArns" : [
                   "arn:aws:iam::aws:policy/AmazonS3FullAccess"
                    ],
                "Path" : "/"
            }
        },
"UserHogehoge" : {
            "Type": "AWS::IAM::User",
            "Properties": {
                "Groups": [  
                    {"Ref" : "TestGroupName"}
                ],
                "UserName": "hogehoge",
                "DependsOn": "GroupTEST",
                "LoginProfile": {
                    "Password" : {"Ref":"UserPass"},
                    "PasswordResetRequired" : "True"
                }
            }
        }

    Does the position of the DependsOn key matter? I just saw that this template is using the FormatVersion 2010-09-09 also maybe that might be an issue?

  • Riku_Kobayashi EXPERTE
    vor 6 Monaten

    The position of "DependsOn" is important. Please try as below.

    "Parameters": {
"UserPass" : {
            "Type": "String",
            "Description": "Users initial password",
            "Default": "blahblah123"
        },
"TestGroupName" : {
            "Type": "String",
            "Description": "TEST Group Name",
            "Default": "AWS-TEST"
        }
    },

"Resources": {
"GroupTEST":{
            "Type" : "AWS::IAM::Group",
            "Properties" : {
                "GroupName" : {"Ref":"TestGroupName"},
                "ManagedPolicyArns" : [
                   "arn:aws:iam::aws:policy/AmazonS3FullAccess"
                    ],
                "Path" : "/"
            }
        },
"UserHogehoge" : {
            "DependsOn": "GroupTEST",
            "Type": "AWS::IAM::User",
            "Properties": {
                "Groups": [  
                    {"Ref" : "TestGroupName"}
                ],
                "UserName": "hogehoge",
                "LoginProfile": {
                    "Password" : {"Ref":"UserPass"},
                    "PasswordResetRequired" : "True"
                }
            }
        }
  • Andre Pereira
    vor 6 Monaten

    Good morning, I just tried it and i still get the same error that [DependsOn] is not permitted. :(

    Update: I tried to create a new stack and it worked on there no error for DependsOn so I assume it might be some other issue with the one stack already in place?

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt