User is not authorized to perform: cloudformation:CreateStack

Question

I'm trying out Serverless to create AWS Lambdas and while creating a project using the command serverless project create I'm getting the following error.

AccessDenied: User: arn:aws:iam::XXXXXXXXX:user/XXXXXXXXX is not authorized to perform: cloudformation:CreateStack on resource: arn:aws:cloudformation:us-east-1:XXXXXXXXX:stack/XXXXXXXXX-development-r/*

I have created a user and granted the following permissions to the user.

AWSLambdaFullAccess
AmazonS3FullAccess
CloudFrontFullAccess
AWSCloudFormationReadOnlyAccess ( There was no AWSCloudFormationFullAccess to grant )

How can I proceed? What else permissions I have to grant?

As of 26th July 2019 there is now a `AWSCloudFormationFullAccess` policy. — a2k42, Aug 07 '19 at 12:58

score 106 · Accepted Answer · edited Jan 17 '18 at 13:46

106

The closest one that you've mentioned is AWSCloudFormationReadOnlyAccess, but obviously that's for readonly and you need cloudformation:CreateStack. Add the following as a user policy.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1449904348000",
            "Effect": "Allow",
            "Action": [
                "cloudformation:CreateStack"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

It's entirely possible you'll need more permissions- for instance, to launch an EC2 instance, to (re)configure security groups, etc.

edited Jan 17 '18 at 13:46

keparo

33,450
13
60
66

answered Dec 12 '15 at 07:15

tedder42

23,519
13
86
102

2

How can I grant `cloudformation:CreateStack`? I'm using the AWS UI not CLI. – Milindu Sanoj Kumarage Dec 12 '15 at 07:28
8

You paste the text I gave in as a custom user policy. – tedder42 Dec 12 '15 at 07:33
1

You can use Aws Policy Generator to generate this concrete policy or any other – Centurion Jun 27 '16 at 21:07
5

I find it so odd that this is not available through their drag and drop UI, thanks. – givanse Dec 31 '16 at 22:23
1

I followed your instructions and added that as an inline policy, but now I get a similar error when I try to run describe-stacks. How do I modify this policy to allow describe-stacks? – pixelwiz May 12 '17 at 13:43
@pixelwiz get used to adding permissions. [here's the list for cloudformation](http://docs.aws.amazon.com/IAM/latest/UserGuide/list_cloudformation.html). – tedder42 May 12 '17 at 16:49
@pixelwiz you can add `cloudformation:*` to include all permissions. Also for me there is a UI now to create these Inline Policies. – Saskia Jan 19 '19 at 16:01
Really useful. Thanks – Mayur Dec 16 '20 at 08:12

score 38 · Answer 2 · answered Aug 01 '17 at 20:35

38

What @tedder42 said, but I also had to add the following to my group policy before I could deploy to lambda from inside visual studio.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1449904348000",
            "Effect": "Allow",
            "Action": [
                "cloudformation:CreateStack",
                "cloudformation:CreateChangeSet",
                "cloudformation:ListStacks",
                "cloudformation:UpdateStack",
                "cloudformation:DescribeChangeSet",
                "cloudformation:ExecuteChangeSet"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

answered Aug 01 '17 at 20:35

Chris Masterton

2,197
4
24
30

5

You'd need `cloudformation:DescribeStacks` as well if you plan on doing `servlerless info`. – pdeschen Nov 10 '17 at 21:14
8

This answer should be upvoted and +1 to @pdeschen saying you also need to add `cloudformation:DescribeStacks` if you're trying to deploy with serverless. I also had to add `cloudformation:DescribeStackResource`, `cloudformation:ValidateTemplate` – hummmingbear Feb 27 '18 at 23:31
I also added these 2 actions : cloudformation:DescribeStackEvents cloudformation:DeleteStack because I needed to permit, my users delete the stacks as well. – GhostCode Sep 24 '18 at 10:09

score 8 · Answer 3 · answered Sep 26 '18 at 21:10

In my recent experience the policy required was

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1449904348000",
            "Effect": "Allow",
            "Action": [
                "cloudformation:CreateStack",
                "cloudformation:CreateChangeSet",
                "cloudformation:ListStacks",
                "cloudformation:UpdateStack",
                "cloudformation:DescribeStacks",
                "cloudformation:DescribeStackResource",
                "cloudformation:DescribeStackEvents",
                "cloudformation:ValidateTemplate",
                "cloudformation:DescribeChangeSet",
                "cloudformation:ExecuteChangeSet"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

TimD · Answer 4 · 2020-04-09T15:28:23.250

I wasn't able to get the shorter versions shown above to work; what fixed things for me was extending @mancvso 's answer slightly to add "cloudformation:GetTemplateSummary":

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1449904348000",
            "Effect": "Allow",
            "Action": [
                "cloudformation:CreateStack",
                "cloudformation:CreateChangeSet",
                "cloudformation:ListStacks",
                "cloudformation:UpdateStack",
                "cloudformation:DescribeStacks",
                "cloudformation:DescribeStackResource",
                "cloudformation:DescribeStackEvents",
                "cloudformation:ValidateTemplate",
                "cloudformation:DescribeChangeSet",
                "cloudformation:ExecuteChangeSet",
                "cloudformation:GetTemplateSummary"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

It will be more helpful if you mention what is the difference. Only GetTemplateSummary? — Faheem, Mar 27 '20 at 08:11

score 4 · Answer 5 · answered Jul 28 '19 at 15:20

4

if you have multiple AWS profiles, try to explicity

export AWS_ACCESS_KEY_ID=<value>
export AWS_SECRET_ACCESS_KEY=<value>

before trying

serverless deploy

answered Jul 28 '19 at 15:20

Iridium Admin

111
1
3

1

This was the quickest solution! – Zameer Ansari Oct 07 '19 at 19:51

score 2 · Answer 6 · answered Aug 20 '20 at 11:04

2

I fixed this issue by adding the permission to the user in the AWS console:

Go to AWS Console
Find the user whose credentials you are using IAM > Access Management > Users
Permissions > 'Add Permissions' > 'Attach existing policies directly'
Search for and select 'AWSCloudFormationFullAccess'

answered Aug 20 '20 at 11:04

Alistair Colling

1,363
2
19
29

Easiest answer. Does exactly as the above but very succinctly – 128KB Feb 22 '23 at 04:24
I had to wait a minute after adding the policy until the issue was solved on the CLI. – Michael Schmid Mar 17 '23 at 11:14

score 2 · Answer 7 · answered Feb 22 '21 at 03:42

2

Just for others reference in case s/he was searching the issue and get here:

Make sure that you deleted the permissions boundary for that IAM user.

If you found that you have granted the cloudformation full access to the IAM user and still get the same error claiming User is not authorized to perform: cloudformation:CreateStack, then it's denied by the permissions boundary.

answered Feb 22 '21 at 03:42

Jeff Tian

5,210
3
51
71

1

Thanks, goto https://console.aws.amazon.com/iam/home?region=us-west-1#/roles and enter AWSAmplifyExecutionRole-xxxxx, then click "Attach policies" button, and search "AWSCloudFormationFullAccess" and add this permison to the amplify role – diyism Mar 21 '21 at 09:31

score 1 · Answer 8 · edited Feb 05 '19 at 15:49

These 2 helped me cross the line...

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "apigateway:*",
            "Resource": "*"
        }
    ]
}

and

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "cloudformation:ListStacks",
                "cloudformation:DescribeStackEvents",
                "cloudformation:CreateStack",
                "cloudformation:UpdateStack",
                "cloudformation:DescribeStackResource",
                "cloudformation:CreateChangeSet",
                "cloudformation:DescribeChangeSet",
                "cloudformation:ExecuteChangeSet",
                "cloudformation:ValidateTemplate"
            ],
            "Resource": "*"
        }
    ]
}

score 1 · Answer 9 · answered Jul 26 '19 at 06:22

Create the following policy:

Click on Policy -> Create Policy
Under Select Service - Type EKS & Select 'EKS'
Under Actions: Select 'All EKS Actions'
Under Resources: Either select 'All resources' or Add ARN
Click on Review Policy
Type the name for the policy & create the policy.

Now, associate this policy to the user account. This should solve the issue & you should be able to create the stack.

score 0 · Answer 10 · answered May 17 '18 at 22:17

With the recent updates in AWS, the following inline policy will also work.

{
   "Version": "2012-10-17",
   "Statement": [
       {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "cloudformation:DeleteStack"
            ],
            "Resource": "*"
        }
    ]
}

score 0 · Answer 11 · answered Apr 19 '23 at 12:38

Here is an example policy that grants the necessary permissions to perform the cloudformation:CreateChangeSet action on the aws-ses-serverless-dev CloudFormation stack:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowCreateChangeSet",
            "Effect": "Allow",
            "Action": "cloudformation:CreateChangeSet",
            "Resource": "arn:aws:cloudformation:us-east-1:030198164798:stack/aws-ses-serverless-dev/*"
        }
    ]
}

You can add this policy to the ses-smtp-user.20230320-141906 IAM user by following these steps:

Open the AWS Management Console and go to the IAM service.
List In the left sidebar, click on "Users" and find the
ses-smtp-user.20230320-141906 user.
Click on the user to open its
details page. Click on the "Permissions" tab.
Click on the "Add
inline policy" button to create a new policy.
In the policy editor, select the "JSON" tab and paste the example policy shown above. Click on the "Review policy" button to review the policy.
Give the policy a name and click on the "Create policy" button to create the policy and attach it to the user.

After adding the policy to the ses-smtp-user.20230320-141906 IAM user, try deploying your Serverless stack again and see if the issue will resolved.

User is not authorized to perform: cloudformation:CreateStack

11 Answers11

Linked