By using AWS re:Post, you agree to the Terms of Use

AWS SAM CLI: Deploy AWS Lambda with least privilege access


I'm trying to deploy the hello world quickstart AWS Lambda function created by AWS SAM ClI template with least priviliege access. For this I have created an IAM Policy, and assigned this policy to a user whose access_key_id and aws_secret_access_key is being used by SAM CLI. Also, I have created an private S3 bucket.

When I'm trying to use 'sam deploy --guided --s3-bucket 'name-of-already-created-bucket' command, I'm getting an error which says:

` Error: Failed to create managed resources: Waiter StackCreateComplete failed: Waiter encountered a terminal failure state: For expression "Stacks[].StackStatus" we matched expected path: "ROLLBACK_COMPLETE" at least once

Can anyone please help me to understand, what can be the cause of this error, and how can it be resolved.

IAM Permissions granted to SAM CLI:

  1. CloudFormation: DescribeStacks, DescribeChangeSet, GetTemplate, CreateChangeSet, DeleteStack, ExecuteChangeSet
  2. Lambda: CreateFunction
  3. S3: PutObject
1 Answer

There are likely to be other permissions required. If you look at the CloudFormation console (or use the aws cloudformation describe-stack-events --stack-name <stackname> command) you will be able to see which resource failed to create and that should point to the permission that you require.

profile picture
answered 6 months ago
  • I have tried to run the command aws cloudformation describe-stack-events --stack-name <stackname>. Initially, I was getting a message that the SAM CLI does not have permission to describe stack events, so I added the permission of describe stack events in IAM Policy. After that when I tried to run the same command again, I got a error message that stack does not exist and also AWS Console is not showing any stack.

  • When a new stack deployment fails and it rolls back (deleting all the resources) it only stays in the CloudFormation console for a short time. You'll need to try the deployment again then run that command immediately afterwards.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions