User is not authorized to perform: cloudformation:CreateStack

Question

I'm trying out Serverless to create AWS Lambdas and while creating a project using the command serverless project create I'm getting the following error.

AccessDenied: User: arn:aws:iam::XXXXXXXXX:user/XXXXXXXXX is not authorized to perform: cloudformation:CreateStack on resource: arn:aws:cloudformation:us-east-1:XXXXXXXXX:stack/XXXXXXXXX-development-r/*

I have created a user and granted the following permissions to the user.

AWSLambdaFullAccess
AmazonS3FullAccess
CloudFrontFullAccess
AWSCloudFormationReadOnlyAccess ( There was no AWSCloudFormationFullAccess to grant )

How can I proceed? What else permissions I have to grant?

As of 26th July 2019 there is now a `AWSCloudFormationFullAccess` policy. — Andy2K11, Aug 07 '19 at 12:58

score 87 · Accepted Answer · edited Jan 17 '18 at 13:46

87

The closest one that you've mentioned is AWSCloudFormationReadOnlyAccess, but obviously that's for readonly and you need cloudformation:CreateStack. Add the following as a user policy.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1449904348000",
            "Effect": "Allow",
            "Action": [
                "cloudformation:CreateStack"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

It's entirely possible you'll need more permissions- for instance, to launch an EC2 instance, to (re)configure security groups, etc.

edited Jan 17 '18 at 13:46

keparo

30,528
13
57
66

answered Dec 12 '15 at 07:15

tedder42

20,195
8
74
92

2

How can I grant `cloudformation:CreateStack`? I'm using the AWS UI not CLI. – Milindu Sanoj Kumarage Dec 12 '15 at 07:28
7

You paste the text I gave in as a custom user policy. – tedder42 Dec 12 '15 at 07:33
1

You can use Aws Policy Generator to generate this concrete policy or any other – Centurion Jun 27 '16 at 21:07
5

I find it so odd that this is not available through their drag and drop UI, thanks. – givanse Dec 31 '16 at 22:23
1

I followed your instructions and added that as an inline policy, but now I get a similar error when I try to run describe-stacks. How do I modify this policy to allow describe-stacks? – pixelwiz May 12 '17 at 13:43
@pixelwiz get used to adding permissions. [here's the list for cloudformation](http://docs.aws.amazon.com/IAM/latest/UserGuide/list_cloudformation.html). – tedder42 May 12 '17 at 16:49
@pixelwiz you can add `cloudformation:*` to include all permissions. Also for me there is a UI now to create these Inline Policies. – Saskia Jan 19 '19 at 16:01
Really useful. Thanks – Mayur Dec 16 '20 at 08:12

score 32 · Answer 2 · answered Aug 01 '17 at 20:35

32

What @tedder42 said, but I also had to add the following to my group policy before I could deploy to lambda from inside visual studio.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1449904348000",
            "Effect": "Allow",
            "Action": [
                "cloudformation:CreateStack",
                "cloudformation:CreateChangeSet",
                "cloudformation:ListStacks",
                "cloudformation:UpdateStack",
                "cloudformation:DescribeChangeSet",
                "cloudformation:ExecuteChangeSet"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

answered Aug 01 '17 at 20:35

Chris Masterton

2,139
3
23
30

4

You'd need `cloudformation:DescribeStacks` as well if you plan on doing `servlerless info`. – pdeschen Nov 10 '17 at 21:14
6

This answer should be upvoted and +1 to @pdeschen saying you also need to add `cloudformation:DescribeStacks` if you're trying to deploy with serverless. I also had to add `cloudformation:DescribeStackResource`, `cloudformation:ValidateTemplate` – theartofbeing Feb 27 '18 at 23:31
I also added these 2 actions : cloudformation:DescribeStackEvents cloudformation:DeleteStack because I needed to permit, my users delete the stacks as well. – GhostCode Sep 24 '18 at 10:09

score 7 · Answer 3 · answered Sep 26 '18 at 21:10

In my recent experience the policy required was

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1449904348000",
            "Effect": "Allow",
            "Action": [
                "cloudformation:CreateStack",
                "cloudformation:CreateChangeSet",
                "cloudformation:ListStacks",
                "cloudformation:UpdateStack",
                "cloudformation:DescribeStacks",
                "cloudformation:DescribeStackResource",
                "cloudformation:DescribeStackEvents",
                "cloudformation:ValidateTemplate",
                "cloudformation:DescribeChangeSet",
                "cloudformation:ExecuteChangeSet"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

score 4 · Answer 4 · answered Jul 28 '19 at 15:20

4

if you have multiple AWS profiles, try to explicity

export AWS_ACCESS_KEY_ID=<value>
export AWS_SECRET_ACCESS_KEY=<value>

before trying

serverless deploy

answered Jul 28 '19 at 15:20

Iridium Admin

91
1
3

This was the quickest solution! – Zameer Ansari Oct 07 '19 at 19:51

TimD · Answer 5 · 2020-04-09T15:28:23.250

I wasn't able to get the shorter versions shown above to work; what fixed things for me was extending @mancvso 's answer slightly to add "cloudformation:GetTemplateSummary":

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1449904348000",
            "Effect": "Allow",
            "Action": [
                "cloudformation:CreateStack",
                "cloudformation:CreateChangeSet",
                "cloudformation:ListStacks",
                "cloudformation:UpdateStack",
                "cloudformation:DescribeStacks",
                "cloudformation:DescribeStackResource",
                "cloudformation:DescribeStackEvents",
                "cloudformation:ValidateTemplate",
                "cloudformation:DescribeChangeSet",
                "cloudformation:ExecuteChangeSet",
                "cloudformation:GetTemplateSummary"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

It will be more helpful if you mention what is the difference. Only GetTemplateSummary? — Faheem, Mar 27 '20 at 08:11

score 1 · Answer 6 · edited Feb 05 '19 at 15:49

These 2 helped me cross the line...

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "apigateway:*",
            "Resource": "*"
        }
    ]
}

and

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "cloudformation:ListStacks",
                "cloudformation:DescribeStackEvents",
                "cloudformation:CreateStack",
                "cloudformation:UpdateStack",
                "cloudformation:DescribeStackResource",
                "cloudformation:CreateChangeSet",
                "cloudformation:DescribeChangeSet",
                "cloudformation:ExecuteChangeSet",
                "cloudformation:ValidateTemplate"
            ],
            "Resource": "*"
        }
    ]
}

score 1 · Answer 7 · answered Jul 26 '19 at 06:22

Create the following policy:

Click on Policy -> Create Policy
Under Select Service - Type EKS & Select 'EKS'
Under Actions: Select 'All EKS Actions'
Under Resources: Either select 'All resources' or Add ARN
Click on Review Policy
Type the name for the policy & create the policy.

Now, associate this policy to the user account. This should solve the issue & you should be able to create the stack.

score 0 · Answer 8 · answered May 17 '18 at 22:17

With the recent updates in AWS, the following inline policy will also work.

{
   "Version": "2012-10-17",
   "Statement": [
       {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "cloudformation:DeleteStack"
            ],
            "Resource": "*"
        }
    ]
}

score 0 · Answer 9 · answered Aug 20 '20 at 11:04

I fixed this issue by adding the permission to the user in the AWS console:

Go to AWS Console
Find the user whose credentials you are using IAM > Access Management > Users
Permissions > 'Add Permissions' > 'Attach existing policies directly'
Search for and select 'AWSCloudFormationFullAccess'

score 0 · Answer 10 · answered Feb 22 '21 at 03:42

0

Just for others reference in case s/he was searching the issue and get here:

Make sure that you deleted the permissions boundary for that IAM user.

If you found that you have granted the cloudformation full access to the IAM user and still get the same error claiming User is not authorized to perform: cloudformation:CreateStack, then it's denied by the permissions boundary.

answered Feb 22 '21 at 03:42

Jeff Tian

4,481
1
38
54

Thanks, goto https://console.aws.amazon.com/iam/home?region=us-west-1#/roles and enter AWSAmplifyExecutionRole-xxxxx, then click "Attach policies" button, and search "AWSCloudFormationFullAccess" and add this permison to the amplify role – diyism Mar 21 '21 at 09:31

score -1 · Answer 11 · answered Dec 14 '18 at 17:40

-1

There is a section in the docs on this (at least now).

With a gist showing the policies JSON they recommend.

answered Dec 14 '18 at 17:40

ryanjdillon

13,415
6
73
96

score -6 · Answer 12 · answered Jul 12 '18 at 19:32

-6

Give "administrator" access to the user you created

answered Jul 12 '18 at 19:32

Suryaprakash Reddy

7

While this answer may be helpful to an extent, you should expand on how to implement your solution, and what it adds to the other answers. – Artemis Jul 23 '18 at 19:02

User is not authorized to perform: cloudformation:CreateStack

12 Answers12

Linked