What permissions do I need when I want to use the DescribeStacks API call?

2 minute read

I want to resolve the Access Denied error I get when I call the DescribeStacks API.

Short description

You might receive the following error when you run the DescribeStacks AWS Command Line Interface (AWS CLI) command:

"An error occurred (AccessDenied) when calling the DescribeStacks operation: User: arn:aws:sts::#AccountId:assumed-role/#RoleName/xxx is not authorized to perform: cloudformation:ListStacks on resource: arn:aws:cloudformation:us-east-1:#AccountId:stack/*/* because no identity-based policy allows the cloudformation:ListStacks action" error appears when role "#RoleName" does not have the "cloudformation:ListStacks" action."

Note: If you receive errors when you run the AWS CLI commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

You might see the corresponding "Failed to load stacks" error when you use the AWS Management Console. To verify that it's a permission-related issue, check the AWS CloudTrail events, and then filter for the ListStacks API call.

Resolution

The error described earlier occurs when the role doesn't have the required permission to perform a cloudformation:ListStacks action.
Note: The DescribeStacks permission also requires permission to ListStacks, if no stack name is specified.

Update the permissions policy to allow access to ListStacks

Complete the following steps on the AWS Management Console to modify the role's permissions policy:

Log in to the AWS Management Console as an administrator.
Enter IAM in the search bar. Under Services, select IAM as the service on the AWS Management Console.
In the left navigation pane, select the Roles tab.
Enter the role name in the search bar and choose the role name hyperlink (highlighted in blue).
Under the Permissions tab, choose the + icon for any one of the customer managed policy types or customer inline policies. Then, choose the Edit button. For more information, see Editing IAM policies.

Review the Modify permissions in #PolicyName webpage. Make sure that it includes cloudformation:ListStacks. The updated policy looks similar to this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor",
      "Effect": "Allow",
      "Action": [
        "cloudformation:DescribeStacks",
        "cloudformation:ListStacks"
      ],
      "Resource": "*"
    }
  ]
}

Choose Next. Then, choose the Save changes button to implement the policy changes.
Test the aws cloudformation describe-stacks command to make sure it runs successfully.

Related information

DescribeStacks

describe-stacks

ListStacks

Topics

Networking & Content Delivery

Relevant content

not give you permission to perform operations in the following AWS service: AmazonAutoScaling.
DD-Boom
asked 3 months ago
Permissions required for aws cp vs aws sync commands when the IAM user and S3 Bucket is in the same AWS Account.
Accepted Answer
AWS-User-6716044
asked 2 years ago
Receiving InvalidRequest when calling the CreateRestoreImageTask operation
Accepted Answer
ras001
asked 6 months ago
AppFlow permissions error when calling CreateConnectorProfile API
rePost-User-0099639
asked a year ago
I received email with the following lines. Dont understand why I received this. Please explain.
priromauld
asked 10 months ago
When I edit the sudoers file on my EC2 instance, I receive syntax errors when I run sudo commands. How do I fix this?
AWS OFFICIALUpdated 7 months ago
How do I resolve the error "Account used is not a delegated administrator" when I run the ListStackSets operation?
AWS OFFICIALUpdated 2 months ago
Why do I receive errors when I run AWS CLI commands?
AWS OFFICIALUpdated 6 months ago
How do I resolve the error that I receive when I use the rdsadmin.rds_file_util.listdir command in Amazon RDS for Oracle?
AWS OFFICIALUpdated 7 months ago
How do you run the Petrel software on AWS?
EXPERT
Alberto-AWS
published 7 months ago