serverless-application-model: FAILED: User is not authorized to perform cloudformation:CreateChangeSet

I have the following simple SAM CloudFormation template:

AWSTemplateFormatVersion: '2010-09-09'
Transform: AW::Serverless-2016-10-31
Resources:
  MyFunction:
    Type: AWS::Serverless::Function
    Properties:
      CodeUri: ./src
      Handler: main.handler
      Runtime: python3.6

I package and deploy it with the following commands:

aws cloudformation package --template-file .\template.yaml --s3-bucket xxxxxxx --output-template-file packaged-template.yaml

aws cloudformation deploy --template-file .\packaged-template.yaml --stack-name my-sam-stack --capabilities CAPABILITY_IAM

Package is successful, but after deploy, I receive the following error message: Failed to create the changeset: Waiter ChangeSetCreateComplete failed: Waiter encountered a terminal failure state Status: FAILED. Reason: User: arn:aws:iam::xxxxxxx:user/xxx is not authorized to perform: cloudformation:CreateChangeSet on resource: arn:aws:cloudformation:us-east-1:aw:transform/Serverless-2016-10-31

I tried different combination of permissions for my user including giving AdministratorAccess, however, the error remained the same. When I use the console to create stack for the same template (the packaged one), I receive the same error. Am I missing something?

About this issue

Original URL
State: closed
Created 7 years ago
Comments: 17 (2 by maintainers)

Commits related to this issue

🔧 MAINT(sam): Introduced functional package/deployment script for lambda function. 📝 CONFIGURE(.git): Ignored sam distribution template. Related Resource URLs: - https://docs.aws.amazon.com/cli/... — committed to josephmcasey/aws-lambda-functions by josephmcasey 6 years ago

Most upvoted comments

I had a similar issue and later identified as a problem when you have multifactor authentication enabled on the account your credentials are using. The solution was to set up your environment using a temporary token from AWS.

aws sts get-session-token --serial-number arn:aws:iam::ACCOUNT_NUMBER:mfa/USER_NAME --token-code CODE_FROM_DEVICE

export AWS_ACCESS_KEY_ID=KEY_FROM_RESPONSE export AWS_SECRET_ACCESS_KEY=SECRET_FROM_RESPONSE export AWS_SESSION_TOKEN=TOKEN_FROM_RESPONSE

More info: https://docs.aws.amazon.com/cli/latest/reference/sts/get-session-token.html

mpmarkburgess on Aug 8, 2018

I have the same problem, but without the typo. So same question please.

roush00 on Oct 5, 2017

It seems like the problem is indeed solved by specifying * as the target resource in the cloudformation policy that enables createchangeset. If anyone could test if this can also be resolved by creating a policy that specifies arn:aws:cloudformation:*:aws:transform/Serverless-2016-10-31 as the resource in the json editor, feel free to do so.

Edit: JUst so you know, you have to use the json editor, the visual editor wont let you

ZainlessBrombie on Nov 15, 2018

Well, please ignore this! That was a stupid type. I used ‘AW::Serverless-2016-10-31’ instead of ‘AWS::Serverless-2016-10-31’.

kashoory on Aug 28, 2017

I see in the official link https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html we have to include the Serverless resource as below

 {
    "Version": "2012-10-17",
    "Statement": [{
        "Effect": "Allow",
        "Action": [
            "cloudformation:CreateChangeSet"
        ],
        "Resource": "arn:aws:cloudformation:us-west-2:aws:transform/Serverless-2016-10-31"
    }]
}

ctrongminh on Dec 16, 2021

For me specifying * as the target resource hasn’t solved my problem. I had to grant permissions explicitly to arn:aws:cloudformation:*:aws:transform/Serverless-2016-10-31 in order to make it work.

amit-davidson on Nov 18, 2018

Thanks for the answer. No I was not. I added it and it now creates my change set but gets stuck in REVIEW_IN_PROGRESS forever. Tried to delete the stack and rerun the package upload and then the deploy, no more luck. Still trying to find out how to make it work (with long term credentials it runs fine, only with the short term sts credentials do I get this problem). Thanks for your help. From: Sebastian Hesse notifications@github.com To: awslabs/serverless-application-model serverless-application-model@noreply.github.com Cc: roush00 roush00@yahoo.com; Mention mention@noreply.github.com Sent: Friday, October 6, 2017 9:43 AM Subject: Re: [awslabs/serverless-application-model] FAILED: User is not authorized to perform cloudformation:CreateChangeSet (#186)

@roush00 Did you include --capabilities CAPABILITY_IAM in the aws cloudformation deploy call?— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

roush00 on Oct 8, 2017

You need to ensure you give Allow access for CreateChangeSet to both the actual stack and to whatever macro you might be using. In my case it was aws:transform/Serverless.

        "Effect": "Allow",
        "Action": "cloudformation:CreateChangeSet",
        "Resource": [
            "arn:aws:cloudformation:us-east-1:123123123123:stack/some-stack-name/*",
            "arn:aws:cloudformation:us-east-1:aws:transform/Serverless-2016-10-31"
        ]

dspenard on Feb 9, 2021

For me it worked when I gave AWSCloudFormationFullAccess permission to my user in the AWS.

RenatoRJF on Dec 10, 2020

Specifying CAPABILITY_IAM is an explicit acknowledgement that you are allowing the template to create IAM resources in your AWS account. You can read more about capabilities and what they mean here:

https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_CreateStack.html

jlhood on Dec 12, 2018

Did anyone figure this out? Same issue as @roush00 and @kashoory , but no typos and I used --capabilities CAPABILITY_IAM

sshadmand on Jan 30, 2018