How do I resolve the tagging permission error in my CloudFormation stack?

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

If you try to create, update, or delete a resource in CloudFormation stacks without the correct tagging permissions, then your stack operations fail. To resolve this issue, you must grant the necessary tagging permissions to your AWS Identity and Access Management (IAM) principal.

Identify the role and API operation that failed

For Amazon Elastic Compute Cloud (Amazon EC2) resources, decode the encoded authorization failure message. To identify the role and the API operation that failed, run the following decode-authorization-message AWS CLI command.

aws sts decode-authorization-message --encoded-message example-encoded-message --example-region

Note: Replace example-encoded-message with your encoded message and example-region with your AWS Region.

For other resources that aren't related to Amazon EC2, check the stack event page to view the role and the API that failed.

Add the missing permissions to the IAM principal

To find the IAM principal that you use for tagging operations, complete the following steps:

1. Open the CloudFormation console.
2. In the navigation pane, choose Stacks.
3. Select your stack name, and then in the Overview section, note the Stack ID.

If you have an Amazon Resource Name (ARN) for an IAM role that's listed, then CloudFormation uses the role to manage and tag the resources.

If you don't have an ARN for an IAM role that's listed, then check your CloudFormation stack's event history. Complete the following steps:

1. Open the AWS CloudTrail console.
2. In the navigation pane, choose Event history.
3. For Lookup attributes, choose Resource name, and then enter your stack ID into the search box.
   Note: The event history includes events from the past 90 days. If your stack ID search doesn't display events, then update the stack.
4. In the Event history list, select the first event name.

If the userIdentity type field is IAMUser, then the principal in the arn field manages the resource. If the userIdentity type is Role, then CloudFormation uses the principal in the arn field under the sessionIssuer.

Grant tagging permissions in your IAM policy

When an infrastructure as code (IaC) service manages an IAM principal, you must update the related IAM policy with the same IaC service.

To use the IAM console to grant tagging permissions, create a new inline policy or update an existing policy.

To configure the IAM principal's tagging permissions, you can also run the following put-role-policy AWS CLI command:

aws iam put-role-policy ---role-name example-role-name --policy-name example-policy --policy-document file://AdminPolicy.json

Note: Replace example-role-name with your role name, example-policy with your policy name, and AdminPolicy.json with your policy JSON document. The file name and extension aren't important.

Also, you can match your CloudFormation template tags with your resource tags to maintain a consistent infrastructure.