0

I have a constrained IAM user that I'm trying to get minimally permissioned to create the baseline ECS CloudFormation reference architecture cleanly:

https://github.com/aws-samples/ecs-refarch-cloudformation

However, I can't get the reference stack to deploy. I get this error:

“Embedded stack arn:aws:cloudformation:us-east-1:*elided*:stack/icc-baselinestack-WebsiteService-*elided*/*elided* was not successfully created: The following resource(s) failed to create: [ServiceScalableTarget].”

I'm new to CloudFormation and I'm wondering how best to diagnose the cause. Is there a place where I can get more detailed diagnostic information about the cause of the problem?

FWIW I can deploy the reference architecture on a fully-permissioned private AWS account without any trouble as AWS intends with this reference stack.

For reference this is the section in service.yaml the error refers to:

    ServiceScalableTarget:
        Type: "AWS::ApplicationAutoScaling::ScalableTarget"
        Properties:
            MaxCapacity: !Ref MaxCount
            MinCapacity: !Ref DesiredCount
            ResourceId: !Join
                - /
                - - service
                  - !Ref Cluster
                  - !GetAtt Service.Name
            RoleARN: !Ref ECSServiceAutoScalingRoleARN
            ScalableDimension: ecs:service:DesiredCount
            ServiceNamespace: ecs

And this is my command line:

aws cloudformation create-stack --capabilities CAPABILITY_NAMED_IAM --stack-name icc-baselinestack  --template-url https://s3.amazonaws.com/ecs-refarch-cloudformation/master.yaml
Christopher Gentle
  • 195
  • 11
  • Side-note: You can create a role for the CloudFormation template that allows users (who have insufficient permissions to create the resources themselves) to launch the stack. Also, AWS Service Catalog can launch services via a CloudFormation stack even when a user does not have the required permissions themselves. – John Rotenstein Apr 02 '18 at 01:24
  • maybe you don't have access to "application-autoscaling:*" – Sudharsan Sivasankaran Apr 02 '18 at 02:50
  • Thanks for the comments. I do seem to have application-autoscaling:* and I will look at building a role for the launch and research AWS Service Catalog. I'm still curious if there would be a specific location where granular permission denial/autoscale failures are logged. – Christopher Gentle Apr 03 '18 at 23:42
  • Did you ever figure out the issue? – Faizuddin Mohammed Dec 31 '18 at 12:27
  • I overcame the problem by setting up a role, but I never found a better way of obtaining granular policy/permissions decision-making logs. – Christopher Gentle Jan 02 '19 at 02:32

0 Answers0