All Questions
Tagged with aws-cloudformation amazon-iam
336
questions
94
votes
7
answers
53k
views
AWS CloudFormation Stack update error: Requires capabilities : [CAPABILITY_IAM]
When creating a stack with CloudFormation, I get this error:
Stack update error: Requires capabilities : [CAPABILITY_IAM]
I can't find a template for adding CAPABILITIES_IAM to the CloudFormation ...
- 4,815
90
votes
12
answers
108k
views
User is not authorized to perform: cloudformation:CreateStack
I'm trying out Serverless to create AWS Lambdas and while creating a project using the command serverless project create I'm getting the following error.
AccessDenied: User: arn:aws:iam::XXXXXXXXX:...
- 2,744
55
votes
6
answers
30k
views
What IAM permissions are needed to use CDK Deploy?
My team has a pipeline which runs under an execution IAM role. We want to deploy code to AWS through CloudFormation or the CDK.
In the past, we would upload some artifacts to S3 buckets before ...
- 685
38
votes
6
answers
27k
views
Nested Step Function in a Step Function: Unknown Error: "...not authorized to create managed-rule"
I have a Step Function (Parent) created in a SAM/CloudFormation template that, among other things, calls another Step Function (Child). I'm following the instructions on calling Child, from Parent, ...
- 937
29
votes
2
answers
18k
views
Cannot create only IAM policy with cloudformation
I am having issue with creating IAM policy in cloudformation.But when I run it I get the error that Groups,Roles,Users is required:
Here is my code:
{
"AWSTemplateFormatVersion": "2010-09-09",
"...
- 2,540
28
votes
1
answer
41k
views
How to reference a resource ARN in a cloudformation policy document ? (yaml)
I am trying to define a trust relationship policy document between a role and a user in cloudformation (yaml).
For specifying the ARN of the user in the role's AssumeRolePolicyDocument, I want to ...
- 16.9k
25
votes
2
answers
22k
views
When do I need to have CAPABILITY_NAMED_IAM
I was editing my CloudFormation templates and suddenly AWS tells me I need CAPABILITY_NAMED_IAM. I am curious as to which change triggers this?
What is a named IAM resource?
Before I already "name"...
- 85.9k
20
votes
1
answer
17k
views
Adding lambda target role to AWS Eventbridge rule in Cloudformation fails
I am trying to create an AWS Eventbridge rule with a Lambda function as a target. I can add the rule and target fine but when I try to set the lambda permissions via RoleArn the Cloudformation stack ...
- 357
18
votes
4
answers
42k
views
How to add S3 BucketPolicy with AWS CDK?
I wanna translate this CloudFormation piece into CDK:
Type: AWS::S3::BucketPolicy
Properties:
Bucket:
Ref: S3BucketImageUploadBuffer
PolicyDocument:
Version: "2012-10-17"
Statement:
...
- 9,002
18
votes
5
answers
40k
views
CloudFormation is not authorized to perform: iam:PassRole on resource
This is part of the code of my template.yml in Cloud9:
Type: 'AWS::Serverless::Function'
Properties:
Handler: index.handler
Runtime: nodejs6.10
CodeUri: .
Description: Updates records in the ...
- 499
18
votes
5
answers
16k
views
AWS Cloudformation Role is not authorized to perform AssumeRole on Role
I am trying to execute a cloudformation stack which contains the following resources:
Codebuild project
Codepipeline pipeline
Roles needed
While trying to execute the stack, it fails with the ...
- 907
17
votes
2
answers
13k
views
How do I supply different conditions based on a parameter in an IAM Role CloudFormation Template
I'm writing a CloudFormation template for an IAM role that I will assume through STS. I need to add a condition where a key equals a value, where both the key and value depends on a "Stage" parameter. ...
- 503
17
votes
1
answer
16k
views
CloudFormation IAM Role -- AssumeRolePolicyDocument
So I'm constructing a cf stack for a role in AWS and I don't know how to go about the AssumeRolePolicyDocument field when designing a role that is not resource-based.
All the examples I've tried to ...
- 358
15
votes
3
answers
4k
views
How to set user name and group name in IAM using CloudFormation?
I created a CloudFormation template and I wanted to create IAM user, to do that I used this JSON string:
"CFNUser" : {
"Type" : "AWS::IAM::User",
"Properties&...
- 351
15
votes
1
answer
7k
views
How do I identify what IAM permissions are required for AWS CloudFormation?
I want to use CloudFormation. package and deploy functions but how do I go about determining what IAM permissions are required to run these?
In general, how do I determine what permissions are ...
- 85.9k
14
votes
3
answers
49k
views
AWS IAM Cloudformation YAML template errror: 'null' values are not allowed
I am working on a Cloudformation template for an IAM role that grants cross account read only access. It uses a managed policy for Readonly access as well. So far, I've resolved several errors, but ...
- 215
13
votes
1
answer
18k
views
Message "Did not have IAM permissions to process tags on AWS::KMS::Key resource" When Creating KMS Key Using Cloudformation
While creating a new KMS key using Cloudformation I see this message in the "Status Reason" column:
Did not have IAM permissions to process tags on AWS::KMS::Key resource
The cloudformation stack ...
- 12.5k
12
votes
2
answers
14k
views
Enable logging S3 via cloudFormation template?
I am trying to create 2 buckets with 2 different policies.
One bucket, VendorsWGLogs, will be the destination for log output.
The other bucket, VendorsWG, will give GetObject, PutObject, and ...
- 819
12
votes
2
answers
7k
views
Can IAM role temporary credentials be used in cloudformation templates?
I'm building a stack that needs access to a private S3 bucket to download the most current version of my application. I'm using IAM roles, a relatively new AWS feature that allows EC2 instances to be ...
- 43.5k
12
votes
2
answers
4k
views
How do I access the current user in a cloudformation template?
I want to create a KMS key using CloudFormation. I want to be able to provide the user executing the cloudformation YAML file (I'll call them "cloudformation-runner"), administrative access to the key ...
- 9,514
11
votes
2
answers
61k
views
AWS CodePipeline error: Cross-account pass role is not allowed
I am trying to create an AWS CodePipeline that deploys the production code to a separate account. The code consists of a lambda function which is setup using a sam template and cloudformation. I have ...
- 964
11
votes
1
answer
2k
views
Least privilege AWS IAM policy for cloudformation
For small CloudFormation and CodePipeline templates we could "try - test" to get least privilege IAM Policy for the roles required.
This usually involves:
Starting with a minimal policy
Creating ...
- 4,815
11
votes
1
answer
2k
views
Is there anyway to determine what IAM permissions I actually need for a CloudFormation template?
Just wondering whats the best practice for determining what permissions I should give for my CloudFormation template?
After some time of trying to give the minimal permissions it require, I find ...
- 85.9k
10
votes
5
answers
8k
views
CloudWatch resource access policy error while creating Amazon Elasticsearch Service via Cloud Formation
I am trying to create an elastic search domain with enabled LogPublishingOptions. While enabling LogPublishingOptions ES says it does not sufficient permissions to create a LogStream on Cloudwatch.
I ...
- 846
10
votes
1
answer
4k
views
Route53 getHostedZone AccessDenied. User doesn't have permission to call route53:GetHostedZone
I'm creating an AWS Cloudformation stack in which I'm adding a recordset to an existing Route53 Hosted Zone. The resource is specified as follows (in YAML format):
DNS:
Type: AWS::Route53::...
- 4,946
10
votes
1
answer
7k
views
How can I use AssumeRole from another AWS account in a CloudFormation template?
I am trying to work out the logic flow for an AWS CloudFormation template that will assume an IAM role that can pull files from a S3 bucket in another AWS account.
What I have so far is:
accountA ...
- 2,403
9
votes
1
answer
2k
views
How to add Metadata to IAM Policy using AWS CDK?
I'm need to add some Metadata into Cloudformation for a IAM Policy. How can I do this with CDK ?
I'm using the CDK to synth a cloudformation and I need to include a metadata to suppress cfn-nag (...
- 93
9
votes
1
answer
6k
views
How do you associate a IAM Role with an Aurora Cluster using CloudFormation?
Following the instructions found here, I have created the following IAM Role
"DatabaseS3Role": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"...
- 127
9
votes
3
answers
9k
views
Cloudformation how to reference Managed-Policy from another stack
I have the following role. From within it I want to use an existing managed policy from another stack.
How can I do so?
"TestRole": {
"Properties": {
"AssumeRolePolicyDocument": {
"...
- 7,353
8
votes
2
answers
6k
views
Cloudformation LaunchTemplate referencing IamInstanceProfile fails to create
I am trying to create a LaunchTemplate, which references an IamInstanceProfile, in my Cloudformation stack. Here is the code- i have omitted the irrelevant parts:
...
Resources:
...
8
votes
1
answer
8k
views
Attach more than one IAM inline policy from cloudformation to the same role
I am checking to see if we could attach more than one IAM policy with cloud formation.
I am already attaching an Managed Policy and i am able to attach and inline policy but wanted to check if i could ...
- 93
8
votes
4
answers
11k
views
How to solve AWS CloudFront SSL Certificate Doesn't Exist
When I was adding the IamCertificateId property to my AWS::CloudFront::Distribution in CloudFormation, I got the following error:
Resource handler returned message: "Invalid request provided: ...
- 1,033
7
votes
1
answer
7k
views
create custom AWS IAM policy using CDK
As per doc : https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-iam.Policy.html
I could create my own policy and attach to role but it is not creating a new policy rather attached as inline ...
- 8,116
7
votes
2
answers
8k
views
Assumable role in an AWS cloud formation
Using AWS, I'm building a cloud formation stack defining the following:
Several resources (for the sake of simplicity, not transcribed below)
A Policy called MyPolicy allowing to use those resources (...
- 1,527
7
votes
2
answers
3k
views
aws CAPABILITY_AUTO_EXPAND console web codepipeline with cloudformation
I am trying to complete a codepipeline with the cloudformation service and this error is generated. It must be said that the separate cloudformation service works well. The complete error is:
...
- 113
7
votes
1
answer
11k
views
CodeBuild unable to create Logs
I have the following Role for my CodeBuild service, generated via CloudFormation
CodeBuildRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub '${PipelineName}-codebuild'
...
- 85.9k
7
votes
1
answer
7k
views
How to create API Gateway Resource Policy that references itself in the Python CDK?
I'm creating an API that will ONLY accept requests made from the GitHub Webhook servers by using a Resource Policy with the GitHub IPs. I've successfully done this using the console and manually ...
- 1,676
6
votes
2
answers
10k
views
How to generate the AWS root account ARN in CloudFormation?
The situation
I am generating a KMS Key in CloudFormation. According to the KMS policy documentation, it is crucial to create a policy where the Principal is the account itself, in order for IAM ...
- 812
6
votes
1
answer
3k
views
Why is my CFN IAM role failing with "Missing required field Action"?
My code clearly has an action. So I assume its a formatting error. I know it's a silly thing but I cant figure it out.
Resources:
LambdaExecRole:
Type: AWS::IAM::Role
Properties:
Path:...
- 2,619
6
votes
2
answers
4k
views
How to reference AWS managed policy arn in cloudformation?
I am going to create an IAM user with cloudformation and need to attach an AWS managed policy AWSAppSyncInvokeFullAccess. I think I should use the managed policy like below code:
Resources:
...
- 40.4k
6
votes
3
answers
9k
views
How to specify lambda function and IAM role name in cloudformation template
here is my template
{
"AWSTemplateFormatVersion":"2010-09-09",
"Resources":{
"lambdafunction":{
"Type":"AWS::Lambda::Function",
"Properties":{
"...
- 1,575
6
votes
1
answer
2k
views
How can I access protected S3 files in a CFN script?
I am trying to retrieve a file in my cloudformation script. If I make the file publicly available, then it works fine. If the file is private, then the cfn script fails, but with a 404 error in /var/...
- 36.8k
5
votes
1
answer
12k
views
CloudFormation YAML - IAM policy with a statement that has a condition
I have an IAM Policy that was created automatically when creating another resource in the AWS Console. I'm trying to add this into an existing CloudFormation stack.
The policy has the following ...
- 2,363
5
votes
4
answers
11k
views
Cloudformation unable to create resource policy for apigateway
The resource policy is working fine when i directly pass it to the console.
Below is resource policy example :-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "...
- 103
5
votes
1
answer
2k
views
How does one escape policy variables in AWS CloudFormation YAML templates
I have been trying to write a number of my AWS CloudFormation templates in the YAML format.
I have been having issues with CloudFormation trying to parse IAM policy variables, such as ${aws:username},...
- 1,471
5
votes
4
answers
11k
views
CDK DnsValidatedCertificate: Can create a certificate in a linked AWS account, when the hosted zone is part of the parent account?
I'm trying to use AWS' Cloud Development Kit to create an SSL certificate for some sub-subdomains of my website. The trouble is that I'm using AWS Organizations and the relavant resources belong to ...
- 1,988
5
votes
1
answer
6k
views
Associating multiple IAM role with AWS::IAM::InstanceProfile in CloudFormation
I've got a CloudFormation template that brings up an auto-scaling group. It has the below instance profile and associated role and policy. Is there any way to also add an existing IAM role to the ...
- 707
5
votes
2
answers
3k
views
How to pass a role to cli command "aws cloudformation deploy" or "sam deploy"?
I am creating a cloudformation stack using a SAM template and the CLI. I have successfully done this using an account that gets all the required permissions from policies directly attached to it. It's ...
- 399
5
votes
1
answer
1k
views
Why do Amazon suggest including the region in AWS IAM resource names?
IAM resources are global, meaning they aren't isolated within specific AWS regions. However, the documentation for an IAM role includes a warning:
Important
Naming an IAM resource can cause an ...
- 110
5
votes
1
answer
5k
views
How to write Resource-based policy in Cloudformation
I want to invoke a Lambda from an external AWS account, and I managed to do it by creating a Policy statement in the Resource-based policy tab of the console (Lambda > Configuration > ...
- 481