- Newest
- Most votes
- Most comments
Hello there,
Looking at the below error, the issue was in downloading of the nested stack's template while creating the nested stack.
awscdkawseksClusterResourceProviderNestedStackawscdkawseksClusterResourceProviderNestedStackResource9827C454** - create failed - S3 error: Access Denied For more information check http://docs.aws.amazon.com/AmazonS3/latest/API/ErrorResponses.html
awscdkawseksClusterResourceProviderNestedStackawscdkawseksClusterResourceProviderNestedStackResource9827C454
--> This looks like nested stack resource.
Possible causes of the issue and resolutions :
- The CloudFormation service role of the stack does not have enough permission to pull the template of the nested stack from its S3 location.
Adding the below permission to CloudFormation service role may help here :
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:Get*",
"s3:List*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
You can optionally specify only the S3 bucket ARN where the nested stack's template is present in the "Resources" section of the above policy.
-
Bucket policy on the S3 bucket of the nested stack's template may be restricting the access from the AWS CloudFormation service role. Please check this and allow the CloudFormation service role to get the objects from this bucket.
https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html --> [1]
-
If encryption is enabled for the S3 bucket and its using Customer managed KMS key, please provide the permission for the CloudFormation stack service role to use then KMS key.
Policy example is given below :
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:DescribeKey",
"kms:GenerateDataKey*",
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:Decrypt"
],
"Resource": "*"
}
]
}
If the KMS key is in different account, you may need to provide permission to access it in AWS KMS key policy for the Cloudformation stack role as well. Please refer to the documentation [2] for more information about KMS key policy.
I hope this information serves you. Further, troubleshooting about this requires checking IAM role policies, S3 bucket policy, KMS and other resources in AWS account. So, if you need additional help on this, you can feel free to reach out to AWS Premium Support.
References :
[1] https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html
[2] https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
From your error, it looks like the role that is deploying the stack may not have permissions to the S3 bucket or to create the bucket.
Make sure you have provided either the proper permissions to allow your stack to create the bucket or to access the bucket. Here's some additional information - https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-walkthroughs-managing-access-example1.html
Hope this helps.
Relevant content
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 5 months ago
Hi, I'm sure that the cloudformation role that i'm using i've granted administrator access to because it was driving me crazy, what role will the nested stack actually run with ?
Hello there,
Nested stack runs with CloudFormation service role [1] ( CFN Service role/stack role will be used to pull the nested stack template from S3 and also used in provisioning all the resources of nested stack).
The nested stack template URL will be available in "TemplateURL" [2] section of the nested stack resource in parent stack template. This will get you the S3 bucket that stores the nested stack template. You can use that S3 bucket and further troubleshoot the issue with below steps :
References - [1] https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-servicerole.html [2] https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-stack.html#cfn-cloudformation-stack-templateurl
how does the nested stack get into the s3 bucket from the artifact bucket, to the cdk assets bucket ??
this is the bit out of the cluster template, and the file 22906e5b58e08ac2681a028481b574e104676337fc7a7e1b6d0cfb021a645670.json (which is the one that comes up in cloudtrail isn't in the cdk assets bucket ?!)
"awscdkawseksClusterResourceProviderNestedStackawscdkawseksClusterResourceProviderNestedStackResource9827C454": { "Type": "AWS::CloudFormation::Stack", "Properties": { "TemplateURL": { "Fn::Join": [ "", [ "https://s3.eu-west-2.", { "Ref": "AWS::URLSuffix" }, "/cdk-hnb659fds-assets-715522585778-eu-west-2/22906e5b58e08ac2681a028481b574e104676337fc7a7e1b6d0cfb021a645670.json" ] ] },
i've removed some bits that reveal internal tags, is this the file that should be placed into the directory ??? But isn't for some reason ??
UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete", "Metadata": { "aws:cdk:path": "LocalCluster/@aws-cdk--aws-eks.ClusterResourceProvider.NestedStack/@aws-cdk--aws-eks.ClusterResourceProvider.NestedStackResource", "aws:asset:path": "LocalClusterawscdkawseksClusterResourceProvider87C3D556.nested.template.json", "aws:asset:property": "TemplateURL" }