When creating a stack with CloudFormation, I get this error:
Stack update error: Requires capabilities : [CAPABILITY_IAM]
I can't find a template for adding CAPABILITIES_IAM to the CloudFormation configuration.
What are the options for resolving CAPABILITIES_IAM errors?
Turns out you need to check a box on the last screen of the stack creation. If you are using the console, just above the 'create stack' button there's a box asking you to acknowledge that you want to allow Cloudformation to modify IAM stuff. You can, of course, create the stack without the acknowledgement, which will cause the stack to fail with the CAPABILITY_IAM error (or another error, if a different capability is required).
In CodePipeline CloudFormation you can add it like this to allow execution of the created change_set in the deploy action:
Configuration:
StackName: !Ref GitHubRepository
ActionMode: CHANGE_SET_REPLACE
Capabilities: CAPABILITY_NAMED_IAM
RoleArn: arn:aws:iam::818272543125:role/events-list-codepiplinerole
ChangeSetName: !Join ["",[!Ref GitHubRepository, "-changeset"]]
TemplatePath: MyAppBuild::sam_post.yaml
In the aws cli append
--capabilities CAPABILITY_IAM
or
--capabilities CAPABILITY_NAMED_IAM
To your command like this:
aws cloudformation create-stack --stack-name message-store --template-body file://bucket_with_keys.yaml --parameters file://cfg_bucket_with_keys.json --capabilities CAPABILITY_NAMED_IAM
This does not apply to cloudformation --validate-template as it is not actually creating the resources.
If you are using the AWS CLI, you can add an extra parameter to the aws cloudformation create-stack command that explicitly states you want these capabilities provided.
(this is the CLI equivalent of ticking the checkbox in the other answer here).
The parameter is --capabilities CAPABILITY_IAM, so your command would look like:
aws cloudformation create-stack --stack-name $STACK_NAME --capabilities CAPABILITY_IAM
Hope that helps
Just above the create stack button, turn on acknowledge in the console.
In case someone comes here from Google (like I did) and is using Terraform, make sure you add a capabilities argument:
resource "aws_cloudformation_stack" "cloudformation_stack" {
# ...
capabilities = [ "CAPABILITY_IAM" ]
}
If "CAPABILITY_IAM" is not supported, you can try "CAPABILITY_NAMED_IAM"
https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_CreateStack.html
If anybody face the same problem trying to deploy using SAM, you just need to add the --capabilities flag:
sam deploy --guided --capabilities CAPABILITY_NAMED_IAM
using-iam-capabilities
Related
This page describes how to set a stack name in some AWS console GUI: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-using-console-create-stack-parameters.html
How do I set these values in the SAM Template .yml files?
I'm specifically doing this on a Stack that is only a Lambda Layer if that matters.
I can see that there is some way to do this via CLI as described here:
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-cli-creating-stack.html
aws cloudformation create-stack --stack-name myteststack --template-url "ssm-doc://arn:aws:ssm:us-east-1:123456789012:document/documentName"
Is it even possible to set the name in the template?
Unfortunately, it seems like stack name is NOT part of the SAM templates. This is done via the command arguments to deploy the stack.
From the same link: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-cli-creating-stack.html
The following example creates the myteststack stack in an Amazon S3 bucket:
PROMPT> aws cloudformation create-stack \
--stack-name myteststack \
--template-body file:///home/testuser/mytemplate.json \
--parameters ParameterKey=Parm1,ParameterValue=test1 ParameterKey=Parm2,ParameterValue=test2
So when creating the stack, the --stack-name argument is how this is set.
The reason I was confused is because I didn't realize where that command was being issued.
I have a template file in a S3 bucket. I want to create a cloudformation stack with it.
I run:
aws cloudformation create --template https://mybucket-us-east-1.s3.us-east-1.amazonaws.com/template/1.0/the-template.template --stack-name test-stack
Then I get this error:
Invalid template path https://mybucket-us-east-1.s3.us-east-1.amazonaws.com/template/1.0/the-template.template
What is the correct syntax to create/deploy a cloudformation stack from a template file found in a S3 bucket?
jprdanm was right. This command worked, however, I also needed to add --capabilities CAPABILITY_NAMED_IAM at the end of it, so:
aws cloudformation create-stack --template-url https://mybucket-us-east-1.s3.us-east-1.amazonaws.com/template/1.0/the-template.template --stack-name test-stack --capabilities CAPABILITY_NAMED_IAM
I have an AWS stack with lambda and api gateway resources. There are about 250 resources and cloudformation only allows uploading 200 at a time so I split it into 2 templates. However when I run the deploy commands for each stack like so
aws cloudformation deploy --template-file template.yml --stack-name my-stack --region us-east-1 --capabilities CAPABILITY_IAM
aws cloudformation deploy --template-file template2.yml --stack-name my-stack --region us-east-1 --capabilities CAPABILITY_IAM
the second command deletes what the first command deployed to my-stack. I would like to append the resources in template2.yml to my-stack and keep what was deployed from template.yml. Is there a way to do that? I want the resources in both templates to use the same api gateway endpoint.
They are technically 2 stacks, but you only gave 1 stack name. So the later command will overwrite the deployed my-stack based on template.yml.
Change your 2nd command to use a different stack name like my-stack2
You could deploy this specifications into two different stacks (diferent stack names), besides you could reference the api gateway specification from the first stack into the second stack, this is one way to reference lambda functions in same api gateway.
I get this error when I run create-stack for a cloudformation template that contains IAM policies.
aws cloudformation create-stack --stack-name iam-stack --template-body file://./iam.yml --capabilities CAPABILITY_IAM --profile dev
An error occurred (InsufficientCapabilitiesException) when calling the CreateStack operation: Requires capabilities : [CAPABILITY_NAMED_IAM]
Change --capabilities to CAPABILITY_NAMED_IAM
If you have IAM resources with custom names, you must specify
CAPABILITY_NAMED_IAM. If you don't specify this parameter, this action
returns an InsufficientCapabilities error.
https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_CreateStack.html
As per AWS docs,
If you specify a Role name in cloud formation, you must specify the CAPABILITY_NAMED_IAM value to acknowledge your template's capabilities Link
So your command should be
aws cloudformation create-stack --stack-name iam-stack --template-body file://./iam.yml --capabilities CAPABILITY_NAMED_IAM --profile dev
In my case I needed both CAPABILITY_IAM and CAPABILITY_NAMED_IAM capabilities for a resource of type "AWS::IAM::Role".
https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/CloudFormation.html#createStack-property
If you are using AWS CodePipeline to deploy an EC2 using a CloudFormation stack, there is an option called "Capabilities" from which you can select CAPABILITY_NAMED_IAM.
You must pass capability as below if you're not letting CloudFormation name your IAM resources.
Change from --capabilities CAPABILITY_IAM to --capabilities CAPABILITY_NAMED_IAM.
I am trying to do all my dev work using cloud9 template for serverless apps
It complains that i don't have CAPABILITY_NAMED_IAM due to the fact that I am creating a role. How do I edit cloud9 deploy defaults to include CAPABILITY_NAMED_IAM?
If you started your Cloud9 with Code star, you can modify the pipeline to enable capabilities to CAPABILITY_NAMED_IAM in the AWS management console.
You need to edit the GenerateChangeSet section in the deploy step.
Otherwhise you should look into your create/update stack to add the --capabilities CAPABILITY_NAMED_IAM :
cloudformation create-stack --stack-name my-stack --template-url dummy-template.yaml --role-arn ... --tags ... --capabilities CAPABILITY_NAMED_IAM
https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_CreateStack.html
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html#using-iam-capabilities