By using AWS re:Post, you agree to the Terms of Use
/Error with creating Cloudformation stack during creating resources and have a role specified/

Error with creating Cloudformation stack during creating resources and have a role specified

0

I am exploring how to delegate Cloudformation permission to other users by testing specifying a role when creating a stack. I notice that some resources like VPC, IGW and EIP can be created but error was prompted. The created resources cannot be deleted by the stack also during rollback or stack deletion.

For example, the following simple template create a VPC:

Resources:
  VPC:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: 10.3.9.0/24

I have actually created a role to specify during creation with policy which allow a lot of actions that I collected by querying the cloudtrail using athena. The following are already included: "ec2:CreateVpc","ec2:DeleteVpc","ec2:ModifyVpcAttribute" However, the following occur during creation:

Resource handler returned message: "You are not authorized to perform this operation. (Service: Ec2, Status Code: 403, Request ID: bf28db5b-461e-48ff-9430-91cc05be77ef)" (RequestToken: bc6c6c87-a616-2e94-65eb-d4e5488a499a, HandlerErrorCode: AccessDenied)

Looks like some callback mechanisms are used? The VPC was actually created. The deletion was also failed but it did not succeeded.

Resource handler returned message: "You are not authorized to perform this operation. (Service: Ec2, Status Code: 403, Request ID: f1e43bf1-eb08-462a-9788-f183db2683ab)" (RequestToken: 80cc5412-ba28-772b-396e-37b12dbf8066, HandlerErrorCode: AccessDenied)

Any hint about this issue? Thanks.

1 Answers
0
Accepted Answer

To diagnose the issue my advice is to use cloudtrail and find the calls cloudformation is making and subsequently being denied - cloudtrail will reveal the full detail of what is being denied

I'll also add you may want to have a look at service catalog and launch constraints as a way of allowing "other" users to provision an approved product. There is more control over the template used and ability to share across an organization. There is a workshop to demo the features

MODERATOR
answered 11 days ago
  • Thanks. Actually I did try to find corresponding cloudtrail log but could not really figure out what were denied even with this very simple example. There are not really many logs and so I am not sure whether I miss something else.

    Also thanks for the suggestion about service catalog. Will take a look at the workshop.

    PS Notice that it is easier to search the cloudtrail using the corresponding requestid. Will try to fix the policy based on the error.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions