User is not authorized to perform: cloudformation:CreateChangeSet

Question

Account ID: 515497299286
Exact Error: User is not authorized to perform: cloudformation:CreateChangeSet on resource: arn:aws:cloudformation:us-east-2:aws:transform/Serverless::2016-10-31

Evidence of Systematic Testing:
Failed with multiple IAM users (SAMDeploy with AdministratorAccess)
Failed with root user credentials
Failed across multiple regions (us-east-2, us-west-2)
Regular CloudFormation works fine as I ran simple test and it passed
No Organization SCPs blocking access
SAM Template validates correctly 
Ran simulate and users have permissions

Timeline: I was able to do this last week, but is failing this week

re:Post Agent · Accepted Answer

Based on the error message and your testing, this appears to be a permissions issue with the AWS Serverless Application Model (SAM) transformation. Even though you've verified that your users have the necessary CloudFormation permissions and you've tested with AdministratorAccess and even the root user, there seems to be an explicit deny somewhere that's preventing the CreateChangeSet operation specifically on the Serverless transform resource.

The error is specifically related to the Serverless transform (arn:aws:cloudformation:us-east-2:aws:transform/Serverless::2016-10-31) rather than a regular CloudFormation stack, which explains why your regular CloudFormation deployments work fine.

Since you mentioned this was working last week but is failing this week, and you've already verified that there are no Organization SCPs blocking access, there might have been a change in how permissions are evaluated for the Serverless transform, or there could be a temporary service issue.

Here are some troubleshooting steps to consider:

1. Check for any explicit deny statements in your IAM policies that might be targeting CloudFormation transforms specifically.

2. Ensure that your IAM policies include permissions not just for CloudFormation actions but also for the specific transform resource. You might need to add explicit permissions for the Serverless transform.

3. Try adding the following to your IAM policy:
```
{
"Effect": "Allow",
"Action": "cloudformation:CreateChangeSet",
"Resource": "arn:aws:cloudformation:*:aws:transform/Serverless-*"
}
```

4. If you're using AWS SAM CLI, ensure it's updated to the latest version, as there might have been changes in how it interacts with the CloudFormation service.

5. Since you mentioned it was working last week, consider opening a support case with AWS if none of the above steps resolve the issue, as there might be a service-side change or issue.

Remember that in IAM, an explicit deny always takes precedence over an allow permission, so even with AdministratorAccess, if there's a specific deny for this resource, it will block the operation.  
**Sources**  
[(AccessDenied) when calling the CreateChangeSet operation: | AWS re:Post](https://repost.aws/questions/QUitUDhJuETvykYtgY2MDtjA/accessdenied-when-calling-the-createchangeset-operation)  
[Step 3: Limit the CodeDeploy user's permissions - AWS CodeDeploy](https://docs.aws.amazon.com/codedeploy/latest/userguide/getting-started-policy.html)

David · Answer

In addition to administrator access on newly created user, I've already added a customer inline policy on that user defined as per below.  I'm a solo user so no org or boundry stuff at all.  {
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": [
				"cloudformation:CreateChangeSet",
				"cloudformation:DescribeChangeSet",
				"cloudformation:ExecuteChangeSet"
			],
			"Resource": [
				"arn:aws:cloudformation:*:*:stack/*",
				"arn:aws:cloudformation:*:aws:transform/*"
			]
		}
	]
}

User is not authorized to perform: cloudformation:CreateChangeSet

回答を追加する

関連するコンテンツ