User is not authorized to perform: cloudformation:CreateStack
Solution 1
The closest one that you've mentioned is AWSCloudFormationReadOnlyAccess
, but obviously that's for readonly and you need cloudformation:CreateStack
. Add the following as a user policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1449904348000",
"Effect": "Allow",
"Action": [
"cloudformation:CreateStack"
],
"Resource": [
"*"
]
}
]
}
It's entirely possible you'll need more permissions- for instance, to launch an EC2 instance, to (re)configure security groups, etc.
Solution 2
What @tedder42 said, but I also had to add the following to my group policy before I could deploy to lambda from inside visual studio.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1449904348000",
"Effect": "Allow",
"Action": [
"cloudformation:CreateStack",
"cloudformation:CreateChangeSet",
"cloudformation:ListStacks",
"cloudformation:UpdateStack",
"cloudformation:DescribeChangeSet",
"cloudformation:ExecuteChangeSet"
],
"Resource": [
"*"
]
}
]
}
Solution 3
In my recent experience the policy required was
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1449904348000",
"Effect": "Allow",
"Action": [
"cloudformation:CreateStack",
"cloudformation:CreateChangeSet",
"cloudformation:ListStacks",
"cloudformation:UpdateStack",
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackResource",
"cloudformation:DescribeStackEvents",
"cloudformation:ValidateTemplate",
"cloudformation:DescribeChangeSet",
"cloudformation:ExecuteChangeSet"
],
"Resource": [
"*"
]
}
]
}
Solution 4
I wasn't able to get the shorter versions shown above to work; what fixed things for me was extending @mancvso 's answer slightly to add "cloudformation:GetTemplateSummary"
:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1449904348000",
"Effect": "Allow",
"Action": [
"cloudformation:CreateStack",
"cloudformation:CreateChangeSet",
"cloudformation:ListStacks",
"cloudformation:UpdateStack",
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackResource",
"cloudformation:DescribeStackEvents",
"cloudformation:ValidateTemplate",
"cloudformation:DescribeChangeSet",
"cloudformation:ExecuteChangeSet",
"cloudformation:GetTemplateSummary"
],
"Resource": [
"*"
]
}
]
}
Solution 5
if you have multiple AWS profiles, try to explicity
export AWS_ACCESS_KEY_ID=<value>
export AWS_SECRET_ACCESS_KEY=<value>
before trying
serverless deploy
Comments
-
Milindu Sanoj Kumarage almost 3 years
I'm trying out Serverless to create AWS Lambdas and while creating a project using the command
serverless project create
I'm getting the following error.AccessDenied: User: arn:aws:iam::XXXXXXXXX:user/XXXXXXXXX is not authorized to perform: cloudformation:CreateStack on resource: arn:aws:cloudformation:us-east-1:XXXXXXXXX:stack/XXXXXXXXX-development-r/*
I have created a user and granted the following permissions to the user.
- AWSLambdaFullAccess
- AmazonS3FullAccess
- CloudFrontFullAccess
- AWSCloudFormationReadOnlyAccess ( There was no
AWSCloudFormationFullAccess
to grant )
How can I proceed? What else permissions I have to grant?
-
a2k42 over 4 yearsAs of 26th July 2019 there is now a
AWSCloudFormationFullAccess
policy.
-
Milindu Sanoj Kumarage over 8 yearsHow can I grant
cloudformation:CreateStack
? I'm using the AWS UI not CLI. -
tedder42 over 8 yearsYou paste the text I gave in as a custom user policy.
-
Centurion almost 8 yearsYou can use Aws Policy Generator to generate this concrete policy or any other
-
givanse over 7 yearsI find it so odd that this is not available through their drag and drop UI, thanks.
-
pixelwiz almost 7 yearsI followed your instructions and added that as an inline policy, but now I get a similar error when I try to run describe-stacks. How do I modify this policy to allow describe-stacks?
-
tedder42 almost 7 years@pixelwiz get used to adding permissions. here's the list for cloudformation.
-
pdeschen over 6 yearsYou'd need
cloudformation:DescribeStacks
as well if you plan on doingservlerless info
. -
theartofbeing about 6 yearsThis answer should be upvoted and +1 to @pdeschen saying you also need to add
cloudformation:DescribeStacks
if you're trying to deploy with serverless. I also had to addcloudformation:DescribeStackResource
,cloudformation:ValidateTemplate
-
Artemis almost 6 yearsWhile this answer may be helpful to an extent, you should expand on how to implement your solution, and what it adds to the other answers.
-
GhostCode over 5 yearsI also added these 2 actions : cloudformation:DescribeStackEvents cloudformation:DeleteStack because I needed to permit, my users delete the stacks as well.
-
Saskia over 5 years@pixelwiz you can add
cloudformation:*
to include all permissions. Also for me there is a UI now to create these Inline Policies. -
Zameer Ansari over 4 yearsThis was the quickest solution!
-
Faheem about 4 yearsIt will be more helpful if you mention what is the difference. Only GetTemplateSummary?
-
Mayur over 3 yearsReally useful. Thanks
-
Mayur over 3 yearsReally useful. Thanks
-
diyism about 3 yearsThanks, goto console.aws.amazon.com/iam/home?region=us-west-1#/roles and enter AWSAmplifyExecutionRole-xxxxx, then click "Attach policies" button, and search "AWSCloudFormationFullAccess" and add this permison to the amplify role