By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Error when trying to create a Group and User in the same Template

0

Hello, I am fairly new to AWS and Cloudformation,

My issue is that I am trying to create a Cloudformation Template to create a group and then to create a user and add that newly created group to that user, however because the creation of the group takes some time i think Cloudformation "skips" the group creation and wants to create directly the user with the group but that fails and then it returns an error saying something like " Resource handler returned message: "The group with name AWS-TEST cannot be found. (Service: Iam, Status Code: 404,...) ".

Topics
Management & GovernanceDevOps
Tags
AWS CloudFormationDevOpsAWS Account Management
Language
English
Andre Pereira
asked 6 months ago217 views
1 Answer
1
Accepted Answer

Hello.

How about creating an IAM user after the IAM group is created using "DependsOn" like below?
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-dependson.html

  Group:
    Type: "AWS::IAM::Group"
    Properties:
      GroupName: "custom"
      Path: "/"
      ManagedPolicyArns:
        - "arn:aws:iam::aws:policy/S3FullAccess"

  UserHogehoge:
    DependsOn: Group
    Type: "AWS::IAM::User"
    Properties:
      Path: "/"
      UserName: "hogehoge"
      Groups:
        - !Ref Group
profile picture
EXPERT
Riku_Kobayashi
answered 6 months ago
  • Andre Pereira
    6 months ago

    Hello, I had that idea too but it seems as the DependsOn key is not permitted when creating a user, i got the following error the first time i tried it:

    Properties validation failed for resource USRENAME with message: #: extraneous key [DependsOn] is not permitted.

    So for your example it would be:

    Properties validation failed for resource hogehoge with message: #: extraneous key [DependsOn] is not permitted.

  • Riku_Kobayashi EXPERT
    6 months ago

    No, you can use "DependsOn". We are seeing successful deployments using the template below. The error you shared can occur if the yaml is mis-indented.

    AWSTemplateFormatVersion: 2010-09-09
Description: test.

Resources:
  Group:
    Type: "AWS::IAM::Group"
    Properties:
      GroupName: "custom"
      Path: "/"
      ManagedPolicyArns:
        - "arn:aws:iam::aws:policy/AmazonS3FullAccess"

  UserHogehoge:
    DependsOn: Group
    Type: "AWS::IAM::User"
    Properties:
      Path: "/"
      UserName: "hogehoge"
      Groups:
        - !Ref Group
  • Andre Pereira
    6 months ago

    I'm using json format:

    "Parameters": {
"UserPass" : {
            "Type": "String",
            "Description": "Users initial password",
            "Default": "blahblah123"
        },
"TestGroupName" : {
            "Type": "String",
            "Description": "TEST Group Name",
            "Default": "AWS-TEST"
        }
    },

"Resources": {
"GroupTEST":{
            "Type" : "AWS::IAM::Group",
            "Properties" : {
                "GroupName" : {"Ref":"TestGroupName"},
                "ManagedPolicyArns" : [
                   "arn:aws:iam::aws:policy/AmazonS3FullAccess"
                    ],
                "Path" : "/"
            }
        },
"UserHogehoge" : {
            "Type": "AWS::IAM::User",
            "Properties": {
                "Groups": [  
                    {"Ref" : "TestGroupName"}
                ],
                "UserName": "hogehoge",
                "DependsOn": "GroupTEST",
                "LoginProfile": {
                    "Password" : {"Ref":"UserPass"},
                    "PasswordResetRequired" : "True"
                }
            }
        }

    Does the position of the DependsOn key matter? I just saw that this template is using the FormatVersion 2010-09-09 also maybe that might be an issue?

  • Riku_Kobayashi EXPERT
    6 months ago

    The position of "DependsOn" is important. Please try as below.

    "Parameters": {
"UserPass" : {
            "Type": "String",
            "Description": "Users initial password",
            "Default": "blahblah123"
        },
"TestGroupName" : {
            "Type": "String",
            "Description": "TEST Group Name",
            "Default": "AWS-TEST"
        }
    },

"Resources": {
"GroupTEST":{
            "Type" : "AWS::IAM::Group",
            "Properties" : {
                "GroupName" : {"Ref":"TestGroupName"},
                "ManagedPolicyArns" : [
                   "arn:aws:iam::aws:policy/AmazonS3FullAccess"
                    ],
                "Path" : "/"
            }
        },
"UserHogehoge" : {
            "DependsOn": "GroupTEST",
            "Type": "AWS::IAM::User",
            "Properties": {
                "Groups": [  
                    {"Ref" : "TestGroupName"}
                ],
                "UserName": "hogehoge",
                "LoginProfile": {
                    "Password" : {"Ref":"UserPass"},
                    "PasswordResetRequired" : "True"
                }
            }
        }
  • Andre Pereira
    6 months ago

    Good morning, I just tried it and i still get the same error that [DependsOn] is not permitted. :(

    Update: I tried to create a new stack and it worked on there no error for DependsOn so I assume it might be some other issue with the one stack already in place?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content