Error with creating Cloudformation stack during creating resources and have a role specified
I am exploring how to delegate Cloudformation permission to other users by testing specifying a role when creating a stack. I notice that some resources like VPC, IGW and EIP can be created but error was prompted. The created resources cannot be deleted by the stack also during rollback or stack deletion.
For example, the following simple template create a VPC:
Resources: VPC: Type: AWS::EC2::VPC Properties: CidrBlock: 10.3.9.0/24
I have actually created a role to specify during creation with policy which allow a lot of actions that I collected by querying the cloudtrail using athena. The following are already included:
However, the following occur during creation:
Resource handler returned message: "You are not authorized to perform this operation. (Service: Ec2, Status Code: 403, Request ID: bf28db5b-461e-48ff-9430-91cc05be77ef)" (RequestToken: bc6c6c87-a616-2e94-65eb-d4e5488a499a, HandlerErrorCode: AccessDenied)
Looks like some callback mechanisms are used? The VPC was actually created. The deletion was also failed but it did not succeeded.
Resource handler returned message: "You are not authorized to perform this operation. (Service: Ec2, Status Code: 403, Request ID: f1e43bf1-eb08-462a-9788-f183db2683ab)" (RequestToken: 80cc5412-ba28-772b-396e-37b12dbf8066, HandlerErrorCode: AccessDenied)
Any hint about this issue? Thanks.
To diagnose the issue my advice is to use cloudtrail and find the calls cloudformation is making and subsequently being denied - cloudtrail will reveal the full detail of what is being denied
I'll also add you may want to have a look at service catalog and launch constraints as a way of allowing "other" users to provision an approved product. There is more control over the template used and ability to share across an organization. There is a workshop to demo the features
Thanks. Actually I did try to find corresponding cloudtrail log but could not really figure out what were denied even with this very simple example. There are not really many logs and so I am not sure whether I miss something else.
Also thanks for the suggestion about service catalog. Will take a look at the workshop.
PS Notice that it is easier to search the cloudtrail using the corresponding requestid. Will try to fix the policy based on the error.
AWS SAM/CloudFormation Internal Failure when Creating a Changesetasked a month ago
Creating Data Pipeline using Templateasked a month ago
how can i quickly troubleshoot IAM permission for a serviceasked 4 months ago
Role does not have permission for AWS service: AmazonAutoScalingasked 3 years ago
How to detect drifts of Cloudformation Custom Resource?asked 2 months ago
AWS SAM CLI: Deploy AWS Lambda with least privilege accessasked 2 months ago
Cloudformation => Creating Authorizer to a ApiGateaway with Cloudformation => Error with JWTConfiguration when creating the authorizerAccepted Answerasked 7 days ago
How to create auto scaling group using CodePipelineasked 3 years ago
Error with creating Cloudformation stack during creating resources and have a role specifiedAccepted Answerasked 11 days ago
Securing Cross-Account Access for CodePipelineasked 4 months ago