Error when trying to create a Group and User in the same Template

Hello, I am fairly new to AWS and Cloudformation,

My issue is that I am trying to create a Cloudformation Template to create a group and then to create a user and add that newly created group to that user, however because the creation of the group takes some time i think Cloudformation "skips" the group creation and wants to create directly the user with the group but that fails and then it returns an error saying something like " Resource handler returned message: "The group with name AWS-TEST cannot be found. (Service: Iam, Status Code: 404,...) ".

Argomenti

Gestione e amministrazione DevOps

Tag

AWS CloudFormation DevOps Gestore account AWS

Lingua

English

Andre Pereira

posta 6 mesi fa245 visualizzazioni

1 Risposta

Più recenti
Maggior numero di voti
Maggior numero di commenti

Risposta accettata

Hello.

How about creating an IAM user after the IAM group is created using "DependsOn" like below?
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-dependson.html

  Group:
    Type: "AWS::IAM::Group"
    Properties:
      GroupName: "custom"
      Path: "/"
      ManagedPolicyArns:
        - "arn:aws:iam::aws:policy/S3FullAccess"

  UserHogehoge:
    DependsOn: Group
    Type: "AWS::IAM::User"
    Properties:
      Path: "/"
      UserName: "hogehoge"
      Groups:
        - !Ref Group

ESPERTO

Riku_Kobayashi

con risposta 6 mesi fa

Andre Pereira
6 mesi fa
Hello, I had that idea too but it seems as the DependsOn key is not permitted when creating a user, i got the following error the first time i tried it:

Properties validation failed for resource USRENAME with message: #: extraneous key [DependsOn] is not permitted.

So for your example it would be:

Properties validation failed for resource hogehoge with message: #: extraneous key [DependsOn] is not permitted.

Riku_Kobayashi ESPERTO

6 mesi fa

No, you can use "DependsOn". We are seeing successful deployments using the template below. The error you shared can occur if the yaml is mis-indented.

AWSTemplateFormatVersion: 2010-09-09
Description: test.

Resources:
  Group:
    Type: "AWS::IAM::Group"
    Properties:
      GroupName: "custom"
      Path: "/"
      ManagedPolicyArns:
        - "arn:aws:iam::aws:policy/AmazonS3FullAccess"

  UserHogehoge:
    DependsOn: Group
    Type: "AWS::IAM::User"
    Properties:
      Path: "/"
      UserName: "hogehoge"
      Groups:
        - !Ref Group

Andre Pereira

6 mesi fa

I'm using json format:

"Parameters": {
"UserPass" : {
            "Type": "String",
            "Description": "Users initial password",
            "Default": "blahblah123"
        },
"TestGroupName" : {
            "Type": "String",
            "Description": "TEST Group Name",
            "Default": "AWS-TEST"
        }
    },

"Resources": {
"GroupTEST":{
            "Type" : "AWS::IAM::Group",
            "Properties" : {
                "GroupName" : {"Ref":"TestGroupName"},
                "ManagedPolicyArns" : [
                   "arn:aws:iam::aws:policy/AmazonS3FullAccess"
                    ],
                "Path" : "/"
            }
        },
"UserHogehoge" : {
            "Type": "AWS::IAM::User",
            "Properties": {
                "Groups": [  
                    {"Ref" : "TestGroupName"}
                ],
                "UserName": "hogehoge",
                "DependsOn": "GroupTEST",
                "LoginProfile": {
                    "Password" : {"Ref":"UserPass"},
                    "PasswordResetRequired" : "True"
                }
            }
        }

Does the position of the DependsOn key matter? I just saw that this template is using the FormatVersion 2010-09-09 also maybe that might be an issue?

Riku_Kobayashi ESPERTO

6 mesi fa

The position of "DependsOn" is important. Please try as below.

"Parameters": {
"UserPass" : {
            "Type": "String",
            "Description": "Users initial password",
            "Default": "blahblah123"
        },
"TestGroupName" : {
            "Type": "String",
            "Description": "TEST Group Name",
            "Default": "AWS-TEST"
        }
    },

"Resources": {
"GroupTEST":{
            "Type" : "AWS::IAM::Group",
            "Properties" : {
                "GroupName" : {"Ref":"TestGroupName"},
                "ManagedPolicyArns" : [
                   "arn:aws:iam::aws:policy/AmazonS3FullAccess"
                    ],
                "Path" : "/"
            }
        },
"UserHogehoge" : {
            "DependsOn": "GroupTEST",
            "Type": "AWS::IAM::User",
            "Properties": {
                "Groups": [  
                    {"Ref" : "TestGroupName"}
                ],
                "UserName": "hogehoge",
                "LoginProfile": {
                    "Password" : {"Ref":"UserPass"},
                    "PasswordResetRequired" : "True"
                }
            }
        }

Andre Pereira
6 mesi fa
Good morning, I just tried it and i still get the same error that [DependsOn] is not permitted. :(

Update: I tried to create a new stack and it worked on there no error for DependsOn so I assume it might be some other issue with the one stack already in place?

Contenuto pertinente

Come faccio a correggere l'errore "Unable to validate the following destination configurations" in AWS CloudFormation?
AWS UFFICIALEAggiornata 2 anni fa
Come faccio a evitare l'errore "Unable to validate the following destination configurations" con le notifiche degli eventi Lambda in CloudFormation?
AWS UFFICIALEAggiornata 3 anni fa
Come faccio a risolvere l'errore "The new key policy will not allow you to update the key policy in the future" quando provo a creare una policy della chiave AWS KMS tramite AWS CloudFormation?
AWS UFFICIALEAggiornata 2 anni fa
Come posso risolvere l'errore di CloudFormation "Unable to assume role and validate" quando avvio una risorsa Amazon ECS?
AWS UFFICIALEAggiornata 4 mesi fa