How do I troubleshoot IAM permission errors in CloudFormation?

3 minute read

I want to resolve the AWS Identity and Access Management (IAM) permission errors that I get in AWS CloudFormation.

Short description

When you create or update a CloudFormation stack, the action invokes API calls to the required services to provision the resources. By default, AWS CloudFormation uses a temporary session that it generates from the user credentials for stack operations. If you specify a service role, then AWS CloudFormation uses that role's credentials. The stack operation results in failure if the credentials that are used don't have the required permissions.

Resolution

To troubleshoot the IAM permission errors, follow the steps given in this section.

Error: "ExampleRole" is not authorized to perform: <AWSService>:<APIcall>."

Note: Before you begin, make sure that you are logged in to your AWS account.

To remove the error, follow these steps:

Go to the IAM console.
Choose Roles.
In the search bar, enter ExampleRole.
Choose the Permissions tab.
Verify the policies that are attached to the role.
Choose the + sign on the policy, and then choose Edit.
Add the missing permissions (API call) for the role policy. Then, choose Next.
Choose Save changes.
Go to the AWS CloudFormation console.
Redeploy the stack.

Error: "MalformedPolicyDocument" error while working with resources policies."

The above error occurs when there are syntax errors in the policy section of a CloudFormation template.

To remove the error, follow these steps:

Go to the AWS CloudFormation console.
Choose the stack where the error occurred.
Choose the Template tab.
Copy the failed policy syntax from the Template.
Convert the policy from YAML to JSON.
Go to the IAM console.
Choose Policies.
Choose Create policy.
In Policy editor, choose JSON.
Paste the policy syntax that you copied earlier into the Policy editor.
Choose Next. The Policy editor shows the line in the policy document with the error.
Correct the syntax of the policy document.
Choose Next. Verify that the syntax is valid.
Go to the AWS CloudFormation console.
Redeploy the stack.

Troubleshooting tips

When the error messages from the CloudFormation stack events are unclear, look up the API calls in AWS CloudTrail for the related timestamps.
CloudTrail API calls provide a detailed log of request parameters that were passed to the stack. The log details show the associated error messages. For more information, see Working with CloudTrail Event history.

Related information

Example of policy summaries

Editing IAM policies

Topics

Management & Governance

Relevant content

Permission Error while deploying CloudFormation Stack with Amazon Verified Permissions
Philschke
asked 17 days ago
How can I update IAM policies for tagging CloudFormation resources if the resources do not show in CloudFormation?
lum
asked 2 months ago
how can i quickly troubleshoot IAM permission for a service
ElhananAWS
asked 2 years ago
CloudFormation stack Error
Prerit
asked 9 months ago
Invoke AWS CloudFormation Stack
rePost-User-5062687
asked 2 years ago
How do I resolve the tagging permission error in my CloudFormation stack?
AWS OFFICIALUpdated 8 months ago
How do I troubleshoot missing permission errors in CloudFormation?
AWS OFFICIALUpdated 2 months ago
How do I resolve the "Internal Failure" error when I try to create or update a stack in CloudFormation?
AWS OFFICIALUpdated 3 years ago
How do I resolve the AWS CloudFormation error "Cannot update a stack when a custom-named resource requires replacing"?
AWS OFFICIALUpdated a year ago
Creating a DynamoDB Table with CloudFormation and Adding Items at Creation Time
EXPERT
Leeroy Hannigan
published 10 months ago