1 Answer
- Newest
- Most votes
- Most comments
0
Hi, do the new versions of your stacks (i.e the change sets) include some new IAM definitions or updates?
In that case, CAPABILITY_IAM is needed:
See https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_CreateStack.html
CAPABILITY_IAM and CAPABILITY_NAMED_IAM
Some stack templates might include resources that can affect permissions
in your AWS account; for example, by creating new AWS Identity and Access
Management (IAM) users. For those stacks, you must explicitly acknowledge this
by specifying one of these capabilities.
The following IAM resources require you to specify either the
CAPABILITY_IAM or CAPABILITY_NAMED_IAM capability.
If you have IAM resources, you can specify either capability.
If you have IAM resources with custom names, you must specify CAPABILITY_NAMED_IAM.
If you don't specify either of these capabilities, AWS CloudFormation returns
an InsufficientCapabilities error.
Best, Didier
Relevant content
- Accepted Answerasked 2 years ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 2 years ago
I understand that the capabilities are needed for CreateStack, and of course for ExecuteChangeSet, but I don’t understand why would they be needed just for CreateChangeSet?
Again, the error is not when I update the stack, it is shown earlier, where the list of stack changes should be. It also doesn’t seem to happen 100% of the time, even though the template is always the same.
(PS: is there a recommended way of adding screenshots here, to make the question clearer?)