User is not authorized to perform: cloudformation:CreateStack
Amazon Web-ServicesAmazon IamAmazon CloudformationAmazon Web-Services Problem Overview
I'm trying out Serverless to create AWS Lambdas and while creating a project using the command serverless project create
I'm getting the following error.
AccessDenied: User: arn:aws:iam::XXXXXXXXX:user/XXXXXXXXX is not authorized to perform: cloudformation:CreateStack on resource: arn:aws:cloudformation:us-east-1:XXXXXXXXX:stack/XXXXXXXXX-development-r/*
I have created a user and granted the following permissions to the user.
- AWSLambdaFullAccess
- AmazonS3FullAccess
- CloudFrontFullAccess
- AWSCloudFormationReadOnlyAccess ( There was no
AWSCloudFormationFullAccess
to grant )
How can I proceed? What else permissions I have to grant?
Amazon Web-Services Solutions
Solution 1 - Amazon Web-Services
The closest one that you've mentioned is AWSCloudFormationReadOnlyAccess
, but obviously that's for readonly and you need cloudformation:CreateStack
. Add the following as a user policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1449904348000",
"Effect": "Allow",
"Action": [
"cloudformation:CreateStack"
],
"Resource": [
"*"
]
}
]
}
It's entirely possible you'll need more permissions- for instance, to launch an EC2 instance, to (re)configure security groups, etc.
Solution 2 - Amazon Web-Services
What @tedder42 said, but I also had to add the following to my group policy before I could deploy to lambda from inside visual studio.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1449904348000",
"Effect": "Allow",
"Action": [
"cloudformation:CreateStack",
"cloudformation:CreateChangeSet",
"cloudformation:ListStacks",
"cloudformation:UpdateStack",
"cloudformation:DescribeChangeSet",
"cloudformation:ExecuteChangeSet"
],
"Resource": [
"*"
]
}
]
}
Solution 3 - Amazon Web-Services
In my recent experience the policy required was
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1449904348000",
"Effect": "Allow",
"Action": [
"cloudformation:CreateStack",
"cloudformation:CreateChangeSet",
"cloudformation:ListStacks",
"cloudformation:UpdateStack",
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackResource",
"cloudformation:DescribeStackEvents",
"cloudformation:ValidateTemplate",
"cloudformation:DescribeChangeSet",
"cloudformation:ExecuteChangeSet"
],
"Resource": [
"*"
]
}
]
}
Solution 4 - Amazon Web-Services
I wasn't able to get the shorter versions shown above to work; what fixed things for me was extending @mancvso 's answer slightly to add "cloudformation:GetTemplateSummary"
:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1449904348000",
"Effect": "Allow",
"Action": [
"cloudformation:CreateStack",
"cloudformation:CreateChangeSet",
"cloudformation:ListStacks",
"cloudformation:UpdateStack",
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackResource",
"cloudformation:DescribeStackEvents",
"cloudformation:ValidateTemplate",
"cloudformation:DescribeChangeSet",
"cloudformation:ExecuteChangeSet",
"cloudformation:GetTemplateSummary"
],
"Resource": [
"*"
]
}
]
}
Solution 5 - Amazon Web-Services
if you have multiple AWS profiles, try to explicity
export AWS_ACCESS_KEY_ID=<value>
export AWS_SECRET_ACCESS_KEY=<value>
before trying
serverless deploy
Solution 6 - Amazon Web-Services
These 2 helped me cross the line...
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "apigateway:*",
"Resource": "*"
}
]
}
and
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"cloudformation:ListStacks",
"cloudformation:DescribeStackEvents",
"cloudformation:CreateStack",
"cloudformation:UpdateStack",
"cloudformation:DescribeStackResource",
"cloudformation:CreateChangeSet",
"cloudformation:DescribeChangeSet",
"cloudformation:ExecuteChangeSet",
"cloudformation:ValidateTemplate"
],
"Resource": "*"
}
]
}
Solution 7 - Amazon Web-Services
Create the following policy:
- Click on Policy -> Create Policy
- Under Select Service - Type EKS & Select 'EKS'
- Under Actions: Select 'All EKS Actions'
- Under Resources: Either select 'All resources' or Add ARN
- Click on Review Policy
- Type the name for the policy & create the policy.
Now, associate this policy to the user account. This should solve the issue & you should be able to create the stack.
Solution 8 - Amazon Web-Services
With the recent updates in AWS, the following inline policy will also work.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"cloudformation:DeleteStack"
],
"Resource": "*"
}
]
}
Solution 9 - Amazon Web-Services
I fixed this issue by adding the permission to the user in the AWS console:
- Go to AWS Console
- Find the user whose credentials you are using IAM > Access Management > Users
- Permissions > 'Add Permissions' > 'Attach existing policies directly'
- Search for and select 'AWSCloudFormationFullAccess'
Solution 10 - Amazon Web-Services
Just for others reference in case s/he was searching the issue and get here:
Make sure that you deleted the permissions boundary for that IAM user.
If you found that you have granted the cloudformation full access to the IAM user and still get the same error claiming User is not authorized to perform: cloudformation:CreateStack
, then it's denied by the permissions boundary.
Solution 11 - Amazon Web-Services
I had MFA enabled and had to obtain temporary credentials using MFA code to get AWS SAM to work, as per this comment
Solution 12 - Amazon Web-Services
There is a section in the docs on this (at least now).
With a gist showing the policies JSON they recommend.
Solution 13 - Amazon Web-Services
Give "administrator" access to the user you created