AWS CloudFormation Stack update error: Requires capabilities : [CAPABILITY_IAM]

Question

When creating a stack with CloudFormation, I get this error:

Stack update error: Requires capabilities : [CAPABILITY_IAM]

I can't find a template for adding CAPABILITIES_IAM to the CloudFormation configuration.

What are the options for resolving CAPABILITIES_IAM errors?

Answer 1

Turns out you need to check a box on the last screen of the stack creation. If you are using the console, just above the 'create stack' button there's a box asking you to acknowledge that you want to allow Cloudformation to modify IAM stuff. You can, of course, create the stack without the acknowledgement, which will cause the stack to fail with the CAPABILITY_IAM error (or another error, if a different capability is required).

In CodePipeline CloudFormation you can add it like this to allow execution of the created change_set in the deploy action:

Configuration:         StackName: !Ref GitHubRepository         ActionMode: CHANGE_SET_REPLACE         Capabilities: CAPABILITY_NAMED_IAM         RoleArn: arn:aws:iam::818272543125:role/events-list-codepiplinerole         ChangeSetName: !Join ["",[!Ref GitHubRepository, "-changeset"]]         TemplatePath: MyAppBuild::sam_post.yaml 

In the aws cli append

--capabilities CAPABILITY_IAM 

or

--capabilities CAPABILITY_NAMED_IAM 

To your command like this:

aws cloudformation create-stack --stack-name message-store --template-body file://bucket_with_keys.yaml --parameters file://cfg_bucket_with_keys.json --capabilities CAPABILITY_NAMED_IAM 

This does not apply to cloudformation --validate-template as it is not actually creating the resources.