aws-sam-cli-managed-default stack rolled back with "The specified bucket is not valid" error

[punkstar]

Description:

When setting up a new sam project using sam init, then sam build and then sam deploy --guided, the Cloud Formation process fails with:

Error: Failed to create managed resources: Waiter StackCreateComplete failed: Waiter encountered a terminal failure state: For expression "Stacks[].StackStatus" we matched expected path: "ROLLBACK_COMPLETE" at least once

Steps to reproduce:

$ sam init
Which template source would you like to use?
	1 - AWS Quick Start Templates
	2 - Custom Template Location
Choice: 1
What package type would you like to use?
	1 - Zip (artifact is a zip uploaded to S3)
	2 - Image (artifact is an image uploaded to an ECR image repository)
Package type: 1

Which runtime would you like to use?
	1 - nodejs14.x
	2 - python3.9
	3 - ruby2.7
	4 - go1.x
	5 - java11
	6 - dotnetcore3.1
	7 - nodejs12.x
	8 - nodejs10.x
	9 - python3.8
	10 - python3.7
	11 - python3.6
	12 - python2.7
	13 - ruby2.5
	14 - java8.al2
	15 - java8
	16 - dotnetcore2.1
Runtime: 1

Project name [sam-app]: github-test-case

Cloning from https://github.com/aws/aws-sam-cli-app-templates

AWS quick start application templates:
	1 - Hello World Example
	2 - Step Functions Sample App (Stock Trader)
	3 - Quick Start: From Scratch
	4 - Quick Start: Scheduled Events
	5 - Quick Start: S3
	6 - Quick Start: SNS
	7 - Quick Start: SQS
	8 - Quick Start: Web Backend
Template selection: 1

    -----------------------
    Generating application:
    -----------------------
    Name: github-test-case
    Runtime: nodejs14.x
    Dependency Manager: npm
    Application Template: hello-world
    Output Directory: .

    Next steps can be found in the README file at ./github-test-case/README.md

$ cd github-test-case
$ sam deploy --guided --debug
2021-09-04 22:54:55,157 | Telemetry endpoint configured to be https://aws-serverless-tools-telemetry.us-west-2.amazonaws.com/metrics
2021-09-04 22:54:55,158 | Using config file: samconfig.toml, config environment: default
2021-09-04 22:54:55,158 | Expand command line arguments to:
2021-09-04 22:54:55,158 | --guided --template_file=/Users/nrj/Projects/github-test-case/template.yaml --stack_name=sam-app --fail_on_empty_changeset

Configuring SAM deploy
======================

	Looking for config file [samconfig.toml] :  Not found

	Setting default arguments for 'sam deploy'
	=========================================
	Stack Name [sam-app]: github-test-case
	AWS Region [eu-west-2]:
2021-09-04 22:55:01,053 | No Parameters detected in the template
2021-09-04 22:55:01,080 | 2 stacks found in the template
	#Shows you resources changes to be deployed and require a 'Y' to initiate deploy
	Confirm changes before deploy [y/N]:
	#SAM needs permission to be able to create roles to connect to the resources in your template
	Allow SAM CLI IAM role creation [Y/n]:
2021-09-04 22:55:03,600 | No Parameters detected in the template
2021-09-04 22:55:03,628 | 2 resources found in the stack
2021-09-04 22:55:03,628 | No Parameters detected in the template
2021-09-04 22:55:03,651 | Found Serverless function with name='HelloWorldFunction' and CodeUri='hello-world/'
2021-09-04 22:55:03,651 | --base-dir is not presented, adjusting uri hello-world/ relative to /Users/nrj/Projects/github-test-case/template.yaml
2021-09-04 22:55:03,651 | No Parameters detected in the template
2021-09-04 22:55:03,675 | Detected Inline Swagger definition
2021-09-04 22:55:03,675 | Auth checks done on swagger are not exhaustive!
	HelloWorldFunction may not have authorization defined, Is this okay? [y/N]: y
2021-09-04 22:55:05,117 | No Parameters detected in the template
2021-09-04 22:55:05,148 | 2 resources found in the stack
2021-09-04 22:55:05,148 | No Parameters detected in the template
2021-09-04 22:55:05,171 | Found Serverless function with name='HelloWorldFunction' and CodeUri='hello-world/'
2021-09-04 22:55:05,171 | --base-dir is not presented, adjusting uri hello-world/ relative to /Users/nrj/Projects/github-test-case/template.yaml
2021-09-04 22:55:05,171 | No function or layer definition found with code sign config, skipping
	Save arguments to configuration file [Y/n]:
	SAM configuration file [samconfig.toml]:
	SAM configuration environment [default]:

	Looking for resources needed for deployment:
2021-09-04 22:55:08,406 | Managed S3 stack [aws-sam-cli-managed-default] not found. Creating a new one.
	Creating the required resources...
2021-09-04 22:55:39,246 | Failed to create managed resources
Traceback (most recent call last):
  File "/usr/local/Cellar/aws-sam-cli/1.30.0/libexec/lib/python3.8/site-packages/samcli/lib/utils/managed_cloudformation_stack.py", line 107, in _create_or_get_stack
    stack = _create_stack(
  File "/usr/local/Cellar/aws-sam-cli/1.30.0/libexec/lib/python3.8/site-packages/samcli/lib/utils/managed_cloudformation_stack.py", line 180, in _create_stack
    stack_waiter.wait(StackName=stack_id, WaiterConfig={"Delay": 15, "MaxAttempts": 60})
  File "/usr/local/Cellar/aws-sam-cli/1.30.0/libexec/lib/python3.8/site-packages/botocore/waiter.py", line 53, in wait
    Waiter.wait(self, **kwargs)
  File "/usr/local/Cellar/aws-sam-cli/1.30.0/libexec/lib/python3.8/site-packages/botocore/waiter.py", line 350, in wait
    raise WaiterError(
botocore.exceptions.WaiterError: Waiter StackCreateComplete failed: Waiter encountered a terminal failure state: For expression "Stacks[].StackStatus" we matched expected path: "ROLLBACK_COMPLETE" at least once
2021-09-04 22:55:39,248 | Sending Telemetry: {'metrics': [{'commandRun': {'requestId': 'db327d08-08a0-4f89-8a28-983e73244651', 'installationId': 'ff7e8c7e-a91e-453d-a62a-c57922b8ef47', 'sessionId': '23501a9e-26a9-428b-a77a-4761f0c4f8f3', 'executionEnvironment': 'CLI', 'ci': False, 'pyversion': '3.8.12', 'samcliVersion': '1.30.0', 'awsProfileProvided': False, 'debugFlagProvided': True, 'region': '', 'commandName': 'sam deploy', 'duration': 44088, 'exitReason': 'ManagedStackError', 'exitCode': 1}}]}
2021-09-04 22:55:39,955 | HTTPSConnectionPool(host='aws-serverless-tools-telemetry.us-west-2.amazonaws.com', port=443): Read timed out. (read timeout=0.1)
Error: Failed to create managed resources: Waiter StackCreateComplete failed: Waiter encountered a terminal failure state: For expression "Stacks[].StackStatus" we matched expected path: "ROLLBACK_COMPLETE" at least once

Observed result:

The following error on the CLI:

Error: Failed to create managed resources: Waiter StackCreateComplete failed: Waiter encountered a terminal failure state: For expression "Stacks[].StackStatus" we matched expected path: "ROLLBACK_COMPLETE" at least once

An event on SamCliSourceBucketBucketPolicy in status CREATE_FAILED with error:

The specified bucket is not valid. (Service: Amazon S3; Status Code: 400; Error Code: InvalidBucketName; Request ID: RT87VR3Q5R82GMEN; S3 Extended Request ID: rD6481ZT7Xx0iMSXqKLIOg7Hwz/5PKMjA/FKqWze8fl7AQ16NCaDRnMuIEL5O0zrFQyQPnHonhU=; Proxy: null)

Expected result:

I'm not familiar with this tool, but I assume a working project?

Additional environment details (Ex: Windows, Mac, Amazon Linux etc)

1. OS: macOS 11.5.1 (20G80)
2. sam --version: SAM CLI, version 1.30.0
3. AWS region: eu-west-2

[punkstar]

Related #3240?

[Willbly]

I'm having the exact same issue in ap-southeast-2 on Windows with CLI 1.30.00.

[eh-admin]

exact same issue on eu-central-1.

sam version

> sam --version
SAM CLI, version 1.30.0

sam deploy

> sam deploy --guided

...

Looking for resources needed for deployment:
        Creating the required resources...
Error: Failed to create managed resources: Waiter StackCreateComplete failed: Waiter encountered a terminal failure state: For expression "Stacks[].StackStatus" we matched expected path: "ROLLBACK_COMPLETE" at least once

AWS Cloudformation: aws-sam-cli-managed-default

2021-09-06 12:39:00 UTC+0200

SamCliSourceBucketBucketPolicy

CREATE_FAILED

The specified bucket is not valid. (Service: Amazon S3; Status Code: 400; Error Code: InvalidBucketName; Request ID: QAY523TCV8FJ3BQA; S3 Extended Request ID: 3jUblLOejHSV3DM4VNCqDS55Um6oCQ+Bz0nEW5vHbM2k2u0IOil0cubd2nx+eN7u3BWB8xjDs+A=; Proxy: null)

[siwebstrategy]

I'm having the same issue - us-east-2, Windows, SAM CLI 1.30.0

[cryptotopmovers]

I'm also having same issue - SAM CLI, version 1.30.0

[stevegeusa]

I'm also having same issue - SAM CLI, version 1.30.0 - us-east-1

[sriram-mv]

Thanks for opening the issue! We are looking into the fix.

In the meantime, if you are using pip or our installers, one can downgrade to the previous version of SAM CLI where this functionality is not present and then use sam delete to delete the managed stack. Its important that you delete the managed stack in the region where the creation of the managed stack failed.

sam delete --stack-name aws-sam-cli-managed-default

and let sam cli re-create it during guided deploy process.

[pfilaretov42]

@sriram-mv , could you please advise where previous version(s) of an installer for Windows can be found? Documentation does not mention any.

[runchengwang]

I'm also having same issue - SAM CLI, version 1.30.0 - cn-north-1 and cn-northwest-1

[runchengwang]

I'm also having same issue - SAM CLI, version 1.30.0 - cn-north-1 and cn-northwest-1

I tested with SAM CLI, version 1.29.0 - cn-north-1 and cn-northwest-1 and it worked.

[budvinchathura]

@sriram-mv , could you please advise where previous version(s) of an installer for Windows can be found? Documentation does not mention any.

@pfilaretov you can find them under the releases in this same repo.

https://github.com/aws/aws-sam-cli/releases

[alexdoronin]

The same issue. SAM CLI, version 1.30.0

Workaround:

aws s3 mb s3://my-bucket-for-sam 
sam deploy --s3-bucket my-bucket-for-sam --stack-name sam-app --capabilities CAPABILITY_IAM

[CoshUS]

Fix has been released in 1.31.0.
https://github.com/aws/aws-sam-cli/releases/tag/v1.31.0
Please run sam delete --stack-name aws-sam-cli-managed-default to remove the broken managed stack before going through guided deploy or --resolve-s3 again.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

[AllanOricil]

@CoshUS

This issue was not fixed. I have sam 1.36.0 and Im getting the same error.

I tried once and got this error. Then I deleted the stack using sam delete --stack-name aws-sam-cli-managed-default and confirmed it was removed in the UI and in the cli output. After that I tried again and got the same error.

Im running SAM using the repo from this tutorial: https://aws.amazon.com/blogs/compute/uploading-to-amazon-s3-directly-from-a-web-or-mobile-application/

[AllanOricil]

@CoshUS
I ran the deploy command again and it worked when I specified a bucket name. This bucket is ignored by SAM and the stack is created without problem. So there is a bug here

sam deploy --s3-bucket allanoricil-test-bucket --guided

[qingchm]

@AllanOricil Unfortunately --guided by design uses the managed s3 bucket so ignoring the input s3 location is expected. But we do see this as an feature request so if we support this in the future we'll try to let you know!

[yobooooi]

I've also encountered this issue on SAM CLI, version 1.40.1 but it was a permission issue in the account I was using. My role didn't have the correct S3 permissions to create an encrypted bucket, which caused that default sam stack to fail. Or in some cases it could also be a SCP preventing encryption changes.

https://stackoverflow.com/questions/69839126/aws-iam-s3-error-putting-s3-server-side-encryption-configuration-accessdeni

[danlangford]

I've also encountered this issue on SAM CLI, version 1.40.1 but it was a permission issue in the account I was using. My role didn't have the correct S3 permissions to create an encrypted bucket, which caused that default sam stack to fail. Or in some cases it could also be a SCP preventing encryption changes.

https://stackoverflow.com/questions/69839126/aws-iam-s3-error-putting-s3-server-side-encryption-configuration-accessdeni

• @yobooooi

thank you so much.

[deepakpundir04]

I also have encountered the same issue on SAM CLI, version 1.46.0 . I have also run the sam delete --stack-name aws-sam-cli-managed-default command it does delete the stack but still sam deploy --guided this doesn't worked.
@yobooooi thanks this link https://stackoverflow.com/questions/69839126/aws-iam-s3-error-putting-s3-server-side-encryption-configuration-accessdeni work for me as well

[Similimodo]

This command worked for me. ``sam deploy --s3-bucket --stack-name sam-app --capabilities CAPABILITY_IAM

[blackcatpolice]

我也遇到过这个问题，SAM CLI, version 1.40.1但这是我使用的账户的权限问题。我的角色没有正确的 S3 权限来创建加密存储桶，这导致默认的 sam 堆栈失败。或者在某些情况下，它也可能是 SCP 阻止了加密更改。

https://stackoverflow.com/questions/69839126/aws-iam-s3-error-putting-s3-server-side-encryption-configuration-accessdeni

Yor right!!!!!