Menu
When creating a stack with CloudFormation, I get this error:
Stack update error: Requires capabilities : [CAPABILITY_IAM]
I can't find a template for adding CAPABILITIES_IAM to the CloudFormation configuration.
What are the options for resolving CAPABILITIES_IAM errors?
441
This error is a security related message: it happens when you try to create a CloudFormation stack that includes the creation of IAM related resources. You have to explicitly tell CloudFormation that you are OK with that. To make it work, simply add the parameter --capabilities CAPABILITY_IAM to your deploy command.
There is a way to force Cloudformation to update the stack using the AWS::CloudFormation::Init . By using cfn-init, each instance can update itself when it detect the change that made by AWS::CloudFormation::Init in metadata.
Update with No Interruption. AWS CloudFormation updates the resource without disrupting operation of that resource and without changing the resource's physical ID. For example, if you update certain properties on an AWS::CloudTrail::Trail resource, AWS CloudFormation updates the trail without disruption.
Turns out you need to check a box on the last screen of the stack creation. If you are using the console, just above the 'create stack' button there's a box asking you to acknowledge that you want to allow Cloudformation to modify IAM stuff. You can, of course, create the stack without the acknowledgement, which will cause the stack to fail with the CAPABILITY_IAM error (or another error, if a different capability is required).
In CodePipeline CloudFormation you can add it like this to allow execution of the created change_set in the deploy action:
Configuration: StackName: !Ref GitHubRepository ActionMode: CHANGE_SET_REPLACE Capabilities: CAPABILITY_NAMED_IAM RoleArn: arn:aws:iam::818272543125:role/events-list-codepiplinerole ChangeSetName: !Join ["",[!Ref GitHubRepository, "-changeset"]] TemplatePath: MyAppBuild::sam_post.yaml In the aws cli append
--capabilities CAPABILITY_IAM or
--capabilities CAPABILITY_NAMED_IAM To your command like this:
aws cloudformation create-stack --stack-name message-store --template-body file://bucket_with_keys.yaml --parameters file://cfg_bucket_with_keys.json --capabilities CAPABILITY_NAMED_IAM This does not apply to cloudformation --validate-template as it is not actually creating the resources.
149
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With