By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Error creating CloudFormation change set: Requires capabilities : [CAPABILITY_IAM]

0

Hello! We have some CloudFormation stacks for our web app (one is production and others are for staging & testing). Normally when we release a new version we just update the stack with a new template and code for the Lambdas. We do this update manually via the AWS console, and one of the steps is checking the change set to make sure it looks reasonable.

Recently (not sure when, but no earlier than last week), CloudFormation became unable to create the change sets. Whenever we try to update a stack, we get an error with the title There was an error creating this change set and the text “Requires capabilities : [CAPABILITY_IAM]”.

This error appears in the Change set preview section of the Update stack page (in step 4, Review), and also if we click on View change set. The change sets can be found in the stack’s tab with status FAILED and the status reason from above.

Now, I know that creating or updating our the stack requires CAPABILITY_IAM (in fact, it also needs CAPABILITY_NAMED_IAM and CAPABILITY_AUTO_EXPAND), and we have the checkboxes to check before applying a change set.

But I never found anywhere an indication that it might be needed just to create the change set, or how to actually set that capability. I searched on Google and here in re:Post and found nothing like this.

As far as I can tell, this is not a change in our template (I tested with a template and code from a past release that was already deployed successfully) or in my permissions (I tried with an IAM role that has all permissions for this account).

Can this be a recent bug in CloudFormation? How come nobody else encountered it?

Topics
Management & Governance
Tags
AWS CloudFormation
Language
English
bogdanb
asked 9 months ago910 views
1 Answer
0

Hi, do the new versions of your stacks (i.e the change sets) include some new IAM definitions or updates?

In that case, CAPABILITY_IAM is needed:

See https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_CreateStack.html

CAPABILITY_IAM and CAPABILITY_NAMED_IAM

Some stack templates might include resources that can affect permissions
 in your AWS account; for example, by creating new AWS Identity and Access 
Management (IAM) users. For those stacks, you must explicitly acknowledge this 
by specifying one of these capabilities.

The following IAM resources require you to specify either the 
CAPABILITY_IAM or CAPABILITY_NAMED_IAM capability.

If you have IAM resources, you can specify either capability.

If you have IAM resources with custom names, you must specify CAPABILITY_NAMED_IAM.

If you don't specify either of these capabilities, AWS CloudFormation returns 
an InsufficientCapabilities error.

Best, Didier

profile pictureAWS
EXPERT
Didier_Durand
answered 9 months ago
profile pictureAWS
EXPERT
Jonathan_D
reviewed 9 months ago
  • bogdanb
    9 months ago

    I understand that the capabilities are needed for CreateStack, and of course for ExecuteChangeSet, but I don’t understand why would they be needed just for CreateChangeSet?

    Again, the error is not when I update the stack, it is shown earlier, where the list of stack changes should be. It also doesn’t seem to happen 100% of the time, even though the template is always the same.

    (PS: is there a recommended way of adding screenshots here, to make the question clearer?)

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content