AWS Cloud Formation.Requires capabilities : [CAPABILITY_IAM] (Child Stack)

Question

IMPORTANT

I'm building the TemplateURL dynamically.

"TemplateURL" : { "Fn::Join" : ["", [  { "Ref" : "TemplateURL"}, "substack.template" ]] }

I'm running a CloudFormation template in the AWS Console.

Running Stack Directly

I started with a template that used IAM resources, and the console prompts me to acknowledge IAM capabilities when running the stack directly.

Running Stack as a child

I then tried to call the same stack from a parent stack and did not receive the same prompt.

The stack then failed with the message:

Requires capabilities : [CAPABILITY_IAM]

Research

The docs indicate that I can run CF scripts in a number of ways. There's plenty of docs around CLI/API and supplying the capability parameter, but there appears to be no information about how to make sure it's applied when running through the console.

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html

IAM Resources in AWS CloudFormation Templates

CF Console
CLI
API

What I've done / What I think

I've raised an issue via the forum for now, but no response (yet): https://forums.aws.amazon.com/thread.jspa?threadID=139160

I suspect this is a bug in the Console, as there doesn't appear to be any documentation of how to change the behaviour via the console and as far as I'm aware this should just work.

Anyone came across the same problem, or can report that it's working fine for them?

If anybody is interested I have worked around it by creating a dummy IAM user in the master stack. This will do until the bug is fixed. — Drew Khoury, Nov 19 '13 at 11:53

AsTeR · Answer 1 · 2020-01-07T10:13:18.743

6

I just ran into this issue, my problem was that I did not check the checkbox "I acknowledge that this template might cause AWS CloudFormation to create IAM resources." on the last screen before updating my stack.

edited Jan 07 '20 at 10:13

answered Apr 22 '16 at 13:42

AsTeR

237
4
13

I guess you meant, when you "did NOT check the checkbox ...". Just confirmed this. – joarleymoraes Aug 21 '17 at 17:56
1

Confirmed ... three years after ;) – AsTeR Jan 07 '20 at 10:13

score 2 · Answer 2 · answered Oct 22 '15 at 19:58

If your are using CLI or boto, you can include the "capabilities" parameter. This takes in a list, but the only accepted entry right now is 'CAPABILITY_IAM'.

cf.update_stack(..., capabilities=['CAPABILITY_IAM'])

or

cf.create_stack(..., capabilities=['CAPABILITY_IAM'])

This grants the entire stack tree IAM creation permissions.

score 1 · Accepted Answer · answered Nov 22 '13 at 00:40

1

When building the TemplateURL dynamically the validation checker cannot see if there are IAM resources in advance, and this is why it won't ask for the IAM_CAPABILITIES.

The best work around for this problem (right now) would be to create a dummy IAM resource in the master template to get the prompt.

answered Nov 22 '13 at 00:40

Drew Khoury

4,569
8
26
28

Thanks for following up with your discoveries - this seems to match previous observations of mine, but ironically we seem to encounter the inverse behavior as of recently, i.e. `CAPABILITY_IAM` is now **always** required once a sub stack resource is involved, even if it doesn't create IAM resources (e.g. the [Nesting a Stack in a Template](http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-stack.html#scenario-stack) example exposes this behavior, and this happens at the API level). Unfortunately this obstructs other use cases now - has AWS contacted you about this change? – Steffen Opel Nov 25 '13 at 23:24
I got help through a friend but will be raising it as an official request once I get support setup for my account. – Drew Khoury Nov 26 '13 at 08:51