Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Permission issue on resource arn:aws:cloudformation:us-east-1:aws:transform

Tags:

amazon-web-services

aws-api-gateway

swagger

openapi

aws-cloudformation

I am trying to integrate swagger with api gateway and lambda using swagger extensions. Swagger file is uploaded in a S3 bucket, I am using Body with transform and include as below

Using BodyS3Location in AWS::ApiGateway::RestApi properties returns error Unable to parse API definition because of a malformed integration for the same integration mentioned above I referred Swagger file with AWS Extensions stored in S3 Bucket for API Creation with Cloudformation.

and modified the template as below for AWS::ApiGateway::RestApi properties Body: Fn::Transform: Name: AWS::Include Parameters: Location: Fn::Sub: "s3://${BucketName}/apiSwaggerSpec.yaml"

For the stack above I have all the permission on cloudformation actions

Below code I have added as swagger extension. x-amazon-apigateway-auth: type: "aws_iam" x-amazon-apigateway-integration: type: "aws_proxy" httpMethod: "POST" passthroughBehavior: "when_no_match" uri: Fn::Sub: "arn:aws:apigateway:us-east-1:lambda:path/2015-03-31/functions/arn:aws:lambda:us-east-1:${accountId}:function:testLambdaFunction/invocations" credentials: Fn::Sub: "arn:aws:iam::${accountId}:role/${myRole}" responses: default: statusCode: 200

I am getting permission denied error with message as myrole is not authorized to perform cloudformation:CreateChangeSet on resource: arn:aws:cloudformation:us-east-1:aws:transform/include

Do I need to add special permissions for transform/include. aws documentation says it doesn't need special permissions?

like image 542
Steve Avatar asked Oct 26 '25 02:10

Steve

1 Answers

I hit this same problem, and this question was the only meaningful result I could find when searching. Despite AWS's claims to the contrary, there does appear to be a required permission, but the one that the error message complains about seems to be the only one; after that, the Include transform appears to work. This is the entire policy I added:

      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - # The AWS::Include transform requires this weird permission.
            Sid: UseInclude
            Effect: "Allow"
            Action: "cloudformation:CreateChangeSet"
            Resource: !Sub "arn:aws:cloudformation:${AWS::Region}:aws:transform/Include"
like image 118
qid Avatar answered Oct 27 '25 18:10

qid
Sign in to Comment

Related questions

How do I fix the AWS Wild Rydes sample error: InvalidParameterException: "username should be an email"
Aurora RDS Postgres with IAM Authentication error?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!