Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Cloudformation fails due to access denied.

0

It's failing on Create Service. I've made a service role, I've assigning it and the logs even show it's assuming the role. Still denied. I even gave the role Admin, still denied.

{ "eventVersion": "1.09", "userIdentity": { "type": "AssumedRole", "principalId": "AROA45UGXDMZPC346VWRH:AWSCloudFormation", "arn": "arn:aws:sts::000000000000:assumed-role/CloudFormationServiceRole/AWSCloudFormation", "accountId": "", "accessKeyId": "ASIA45UGXDMZG7P5FK7H", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "AROA45UGXDMZPC346VWRH", "arn": "arn:aws:iam::00000000000:role/CloudFormationServiceRole", <----*** I swear on my life this role has the Admin policy attached.*** "accountId": "", "userName": "CloudFormationServiceRole" }, "attributes": { "creationDate": "2024-07-20T02:55:36Z", "mfaAuthenticated": "false" } }, "invokedBy": "cloudformation.amazonaws.com" }, "eventTime": "2024-07-20T02:55:36Z", "eventSource": "ecs.amazonaws.com", "eventName": "CreateService", "awsRegion": "us-east-1", "sourceIPAddress": "cloudformation.amazonaws.com", "userAgent": "cloudformation.amazonaws.com", "errorCode": "AccessDenied", "errorMessage": "Access denied", "requestParameters": null, "responseElements": null, "requestID": "13c8e3c8-f702-4693-adc2-4f0e5b8fb5d6", "eventID": "358995ca-cbfe-4673-8e22-04da05493424", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "", "eventCategory": "Management" }

Topics
Management & GovernanceSecurity, Identity, & Compliance
Tags
AWS Identity and Access ManagementAWS CloudFormationIAM PoliciesAWS Management Console
Language
English
asked 2 years ago824 views
3 Answers
0

So, the cluster field in the Cloudform wasn't right, not exactly sure how that managed to send it into access denied territory for some reason but.. well it's fixed.

answered 2 years ago
0

I had faced similar issue. I cannot say what exactly the issue you are facing but might help in how to solve.

Usually AWS errors will mention which particular permission is required or missed. I faced this Access Denied issue on 2 instances

  1. When I was creating S3 bucket with Bucket policy through Cloud formation. The role has necessary permission but Org level Bucket policy was denied hence I got Access Denied instead of S3 put bucket policy is needed error.
  2. When I was trying to access a file which is not present. The role has Get object permission but not S3 list object hence I got Access Denied instead of no such file or directory error.

How did I debug? - I checked the CloudTrail which will have event/log for every activity happened in AWS account.

answered 2 years ago
0

HI KELNOR

There are a couple of possibilities why CloudFormation might be encountering an "Access Denied" error on Create Service even with an IAM role assigned and apparently assumed

please follow the links to resolve the issue:

Troubleshooting access denied error messages - AWS IAM: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_access-denied.html

AWS Cloud Formation S3 error: Access Denied:

https://stackoverflow.com/questions/64720224/s3-error-access-denied-when-deploying-cfn-template-with-nested-stacks

EXPERT
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content