2

When I try to deploy the hello world SAM application using sam deploy --guided, I get the following error.

Configuring SAM deploy
======================

        Looking for config file [samconfig.toml] :  Not found

        Setting default arguments for 'sam deploy'
        =========================================
        Stack Name [sam-app]: sam-app
        AWS Region [eu-west-1]: eu-west-1
        #Shows you resources changes to be deployed and require a 'Y' to initiate deploy
        Confirm changes before deploy [y/N]: y
        #SAM needs permission to be able to create roles to connect to the resources in your template
        Allow SAM CLI IAM role creation [Y/n]: y
        #Preserves the state of previously provisioned resources when an operation fails
        Disable rollback [y/N]: y
        HelloWorldFunction may not have authorization defined, Is this okay? [y/N]: y
        Save arguments to configuration file [Y/n]: y
        SAM configuration file [samconfig.toml]: 
        SAM configuration environment [default]: 

        Looking for resources needed for deployment:
        Creating the required resources...
Error: Failed to create managed resources: An error occurred (AccessDenied) when calling the CreateChangeSet operation: User: arn:aws:iam::899719
272550:user/xxxxxxxx@xxxxxxxxxxxxxxxxxxxxxxxx is not authorized to perform: cloudformation:CreateChangeSet on resource: arn:aws:cloudformation:eu-west-1:899719272550:stack/aws-sam-cli-managed-default/* because no identity-based policy allows the cloudformation:CreateChangeSet action

Could you please help me to fix it?

Thanks in advance

Chulendra Wibavashakthi
  • 23
  • 3

2 Answers2

1

Better late than never. The answer to your problem is in your question itself.

SAM cli uses your AWS Credentials/Role that you had setup while configuring your aws cli using aws configure command. If you don't know what I'm talking about check Setting up AWS credentials here.

Needless to say this role needs to have atleast the following set of permission for it to create/update cloudformation stacks successfully.

  • cloudformation:CreateChangeSet
  • cloudformation:CreateStack
  • cloudformation:DeleteStack
  • cloudformation:DescribeChangeSet
  • cloudformation:DescribeStackEvents
  • cloudformation:DescribeStacks
  • cloudformation:ExecuteChangeSet
  • cloudformation:GetTemplateSummary
  • cloudformation:ListStackResources
  • cloudformation:UpdateStack

The role you are using is currently missing the cloudformation:CreateChangeSet permission and hence it's failing. Try adding all of the permissions mentioned above to your role and re-deploy the app.

Reference:

Salvino D'sa
  • 4,018
  • 1
  • 7
  • 19
0

The role permission you need is AWSCloudFormationFullAccess

and if you can not grant full access then you can try with AWSCloudFormationReadOnlyAccess

Armer B.
  • 753
  • 2
  • 9
  • 25