User is not authorized to perform: cloudformation:CreateStack

I'm trying out Serverless to create AWS Lambdas and while creating a project using the command serverless project create I'm getting the following error.

AccessDenied: User: arn:aws:iam::XXXXXXXXX:user/XXXXXXXXX is not authorized to perform: cloudformation:CreateStack on resource: arn:aws:cloudformation:us-east-1:XXXXXXXXX:stack/XXXXXXXXX-development-r/*

I have created a user and granted the following permissions to the user.

  1. AWSLambdaFullAccess
  2. AmazonS3FullAccess
  3. CloudFrontFullAccess
  4. AWSCloudFormationReadOnlyAccess ( There was no AWSCloudFormationFullAccess to grant )

How can I proceed? What else permissions I have to grant?

83300 次浏览
小开
最佳答案

The closest one that you've mentioned is AWSCloudFormationReadOnlyAccess, but obviously that's for readonly and you need cloudformation:CreateStack. Add the following as a user policy.

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1449904348000",
"Effect": "Allow",
"Action": [
"cloudformation:CreateStack"
],
"Resource": [
"*"
]
}
]
}

It's entirely possible you'll need more permissions- for instance, to launch an EC2 instance, to (re)configure security groups, etc.

小开

What @tedder42 said, but I also had to add the following to my group policy before I could deploy to lambda from inside visual studio.

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1449904348000",
"Effect": "Allow",
"Action": [
"cloudformation:CreateStack",
"cloudformation:CreateChangeSet",
"cloudformation:ListStacks",
"cloudformation:UpdateStack",
"cloudformation:DescribeChangeSet",
"cloudformation:ExecuteChangeSet"
],
"Resource": [
"*"
]
}
]
}
小开

With the recent updates in AWS, the following inline policy will also work.

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"cloudformation:DeleteStack"
],
"Resource": "*"
}
]
}
小开

Give "administrator" access to the user you created

小开

In my recent experience the policy required was

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1449904348000",
"Effect": "Allow",
"Action": [
"cloudformation:CreateStack",
"cloudformation:CreateChangeSet",
"cloudformation:ListStacks",
"cloudformation:UpdateStack",
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackResource",
"cloudformation:DescribeStackEvents",
"cloudformation:ValidateTemplate",
"cloudformation:DescribeChangeSet",
"cloudformation:ExecuteChangeSet"
],
"Resource": [
"*"
]
}
]
}
小开

I wasn't able to get the shorter versions shown above to work; what fixed things for me was extending @mancvso 's answer slightly to add "cloudformation:GetTemplateSummary":

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1449904348000",
"Effect": "Allow",
"Action": [
"cloudformation:CreateStack",
"cloudformation:CreateChangeSet",
"cloudformation:ListStacks",
"cloudformation:UpdateStack",
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackResource",
"cloudformation:DescribeStackEvents",
"cloudformation:ValidateTemplate",
"cloudformation:DescribeChangeSet",
"cloudformation:ExecuteChangeSet",
"cloudformation:GetTemplateSummary"
],
"Resource": [
"*"
]
}
]
}
小开

There is a section in the docs on this (at least now).

With a gist showing the policies JSON they recommend.

小开

These 2 helped me cross the line...

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "apigateway:*",
"Resource": "*"
}
]
}

and

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"cloudformation:ListStacks",
"cloudformation:DescribeStackEvents",
"cloudformation:CreateStack",
"cloudformation:UpdateStack",
"cloudformation:DescribeStackResource",
"cloudformation:CreateChangeSet",
"cloudformation:DescribeChangeSet",
"cloudformation:ExecuteChangeSet",
"cloudformation:ValidateTemplate"
],
"Resource": "*"
}
]
}
小开

Create the following policy:

  1. Click on Policy -> Create Policy
  2. Under Select Service - Type EKS & Select 'EKS'
  3. Under Actions: Select 'All EKS Actions'
  4. Under Resources: Either select 'All resources' or Add ARN
  5. Click on Review Policy
  6. Type the name for the policy & create the policy.

Now, associate this policy to the user account. This should solve the issue & you should be able to create the stack.

小开

if you have multiple AWS profiles, try to explicity 

export AWS_ACCESS_KEY_ID=<value>
export AWS_SECRET_ACCESS_KEY=<value>

before trying 

serverless deploy
小开

I fixed this issue by adding the permission to the user in the AWS console:

  1. Go to AWS Console
  2. Find the user whose credentials you are using IAM > Access Management > Users
  3. Permissions > 'Add Permissions' > 'Attach existing policies directly'
  4. Search for and select 'AWSCloudFormationFullAccess'
小开

Just for others reference in case s/he was searching the issue and get here:

Make sure that you deleted the permissions boundary for that IAM user.

If you found that you have granted the cloudformation full access to the IAM user and still get the same error claiming User is not authorized to perform: cloudformation:CreateStack, then it's denied by the permissions boundary.

enter image description here

小开

I had MFA enabled and had to obtain temporary credentials using MFA code to get AWS SAM to work, as per this comment


提交答案