0
I'm running the following aws cli command to create a cloudformation stack for a single ec2 instance.
$ aws cloudformation create-stack --template-body file://templates/single-instance.yml --stack-name single-instance --parameters ParameterKey=KeyName,ParameterValue=SOME-EXISTING-KEY-PAIR ParameterKey=InstanceType,ParameterValue=t2.micro
I'm using this template (converted to yaml): https://s3-us-west-2.amazonaws.com/cloudformation-templates-us-west-2/EC2InstanceWithSecurityGroupSample.template
While a cloudformation job does get created, it fails in the console with this error: AccessDenied. User doesn't have permission to call ec2:DescribeKeyPairs. Rollback requested by user, even though I seem to have the appropriate permissions in AWS. I'm able to run describe-key-pairs successfully otherwise (see below output):
$ aws ec2 describe-key-pairs --key-name SOME_NAME --region us-east-1
{
"KeyPairs": [
{
"KeyName": "SOME_NAME",
"KeyFingerprint": "xx:xx:xx:...."
}
]
}
woozymj
Posted 2019-06-18T07:23:35.390
Reputation: 1
Are you creating the stack in the us-east-1 region? You explicitly set a region in the describe-key-pairs command but not the create-stack one – cloud ninja – 2019-06-19T16:37:34.937
Ah, I didn't add the '--region' param there. Well I got the same result using 'us-east-1' to create the stack. Just figured out the issue though, it was related to me not using '--profile' option to use the right set of creds. – woozymj – 2019-06-20T14:14:36.917
Glad you found it, for future reference cloudtrail will show failed requests (from valid users) and give you details on who made them and why they failed. Very useful for tracking down auth issues. – cloud ninja – 2019-06-20T15:52:45.330