cloudformation deploy exits without useful message

[byumark]

After running the aws cloudformation package command, I then run deploy and get this:

aws cloudformation deploy --template-file new_template.yml --stack-name stack_name --capabilities CAPABILITY_IAM --profile profile_name
Waiting for changeset to be created..

'Status'

It exits at that point. It gets stuck on the first event:
"ResourceStatus": "REVIEW_IN_PROGRESS",

I am using the code from this example:
https://github.com/awslabs/serverless-application-model/tree/master/examples/2016-10-31/hello_world

aws-cli/1.11.36 Python/2.7.10 Darwin/16.3.0 botocore/1.4.93

[byumark]

Just an update:

Having only this cloudformation action allowed cloudformation:DescribeStacks will give this error:

An error occurred (AccessDenied) when calling the CreateChangeSet operation: User: arn:aws:iam::account_id:user/user_name is not authorized to perform: cloudformation:CreateChangeSet

So when I allow cloudformation:CreateChangeSet by adding it to the policy, then the deploy command exits and all I see is this:

Waiting for changeset to be created..

'Status'

I'm guessing I need to allow more actions but there is no error message telling me what I'm missing. This is probably an awscli cloudformation issue I'm guessing.

[vikrambhatt]

Does it complete if you call deploy with '--no-execute-changeset' option?
If yes, then you might be missing cloudformation:ExecuteChangeSet permission.

[byumark]

aws cloudformation deploy --template-file new_template.yml --stack-name stack_name --capabilities CAPABILITY_IAM --profile profile_name --no-execute-changeset

This produces the same result.

Allowing cloudformation:* in the policy causes it to work.

[sanathkr]

deploy command calls CreateChangeSet API followed by ExecuteChangeSet API. You should have both permissions in your policy for this to work. Of course, you should have permissions to create/manage the resources specified in your template.

My guess is that the CLI does not handle exceptions when calling ExecuteChangeSet. Needs more investigation

[syang]

@sanathkr I copied and pasted your api_gateway code, and the deployed failed. Here is the detailed info, and hopefully this gives you some info to help out.

1. First, I replaced my specific s3 bucket name to in the template.yaml
   `AWSTemplateFormatVersion: '2010-09-09'
   Transform: AWS::Serverless-2016-10-31
   Description: Simple CRUD webservice. State is stored in a SimpleTable (DynamoDB) resource.
   Resources:
   GetFunction:
   Type: AWS::Serverless::Function
   Properties:
   Handler: index.get
   Runtime: nodejs4.3
   CodeUri: s3://serverless-asset/api_backend.zip
   Policies: AmazonDynamoDBReadOnlyAccess
   Environment:
   Variables:
   TABLE_NAME: !Ref Table
   Events:
   GetResource:
   Type: Api
   Properties:
   Path: /resource/{resourceId}
   Method: get

PutFunction:
Type: AWS::Serverless::Function
Properties:
Handler: index.put
Runtime: nodejs4.3
CodeUri: s3://serverless-asset/api_backend.zip
Policies: AmazonDynamoDBFullAccess
Environment:
Variables:
TABLE_NAME: !Ref Table
Events:
PutResource:
Type: Api
Properties:
Path: /resource/{resourceId}
Method: put

DeleteFunction:
Type: AWS::Serverless::Function
Properties:
Handler: index.delete
Runtime: nodejs4.3
CodeUri: s3://serverless-asset/api_backend.zip
Policies: AmazonDynamoDBFullAccess
Environment:
Variables:
TABLE_NAME: !Ref Table
Events:
DeleteResource:
Type: Api
Properties:
Path: /resource/{resourceId}
Method: delete

Table:
Type: AWS::Serverless::SimpleTable
`
2) then I use the following command to package and deploy the stack
$aws cloudformation package --template-file template.yaml --output-template-file new_template.yaml --s3-bucket s3://serverless-asset

$aws cloudformation deploy --template-file ./serverless/example_api_backend/new_template.yaml --stack-name serverless-api-backend-test-4 --capabilities CAPABILITY_IAM

3. Then awscli told me it failed, and I searched what action/step failed

$ aws cloudformation describe-stack-events --stack-name serverless-api-backend-test-4 |grep FAILED
"EventId": "Table-CREATE_FAILED-2017-05-04T18:55:55.655Z",
"ResourceStatus": "CREATE_FAILED",
"EventId": "PutFunctionRole-CREATE_FAILED-2017-05-04T18:55:55.032Z",
"ResourceStatus": "CREATE_FAILED",
"EventId": "DeleteFunctionRole-CREATE_FAILED-2017-05-04T18:55:54.906Z",
"ResourceStatus": "CREATE_FAILED",
"EventId": "GetFunctionRole-CREATE_FAILED-2017-05-04T18:55:54.702Z",
"ResourceStatus": "CREATE_FAILED",

[syang]

After grant this user, I called it serverlessAdmin, all permissions (essentially an account admin), the above errors goes away. But I don't think it's a good practice. Would be great if we can find out the minimal Policy that should be attached to this user.

[purefan]

I was facing the same problem and yeah adding permissions helped but ideally I would like to see an error message that describes to me what went wrong

[timjrobinson]

I just got this issue and it's because I was missing the cloudformation:DescribeChangeSet permission.

[sanathkr]

Nothing actionable here. Closing

[dannybster]

For anybody visiting here with a similar issue I had this problem but there were no Events in Cloudformation alerting me to missing permissions. I then used aws cloudformation execute-change-set which failed and alerted me to the missing permissions in the Cloudformation dashboard. After adding what I now believe are the minimum permissions execute-change-set works but deploy still does not.

My current understanding of minimum permissions

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject"
            ],
            "Resource": "arn:aws:s3:::your-bucket/*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "cloudformation:DescribeStacks",
                "cloudformation:ExecuteChangeSet",
                "cloudformation:GetTemplateSummary"
            ],
            "Resource": "arn:aws:cloudformation:your-region:your-account:stack/your-stack/*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "cloudformation:CreateChangeSet"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:GetRole"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "lambda:UpdateFunctionCode",
                "lambda:GetFunctionConfiguration"
            ],
            "Resource": "arn:aws:lambda:your-region:your-account:function:your-function"
        }
    ]
}

[andreas-hartmann]

I just stumbled upon this, it's still occurring almost 7 years later. IMO there should be some more information being printed by default, seeing as how many people were affected by this (looking at the number of upvotes in this issue).

[markdwags]

I ran into this as well, using 2.13.16.

It was failing the same way, same error of "Status". I was missing DescribeChangeSet

[josealdaco]

Same issue, was missing DescribeChangeSet but the output gave no meaningful feedback on the source of the problem. Before I would just run the cli command a second time which would then succeed, the output should return a typical IAM role Does not have permissions to run cloudformation:DescribeChangeSet on resource xxx.

[tyliggity]

Guys, this was such a simple fix and yet was closed as "nothing actionable"? The error message is 'Status' which is NOT an error message, let alone a broken one. Terrible that I have to go back to this 6 year old issue to find the missing permission(s).

[GavinZZ]

The reason we marked it as nothing actionable is because this is using AWS CLI, which is not in our control. We would recommend using SAM CLI to deploy templates, i.e. sam deploy --guided.

[tyliggity]

@GavinZZ I understand. At the very least, this should be escalated to the AWS CLI folks then. SAM CLI is surely not the recommended approach to deploying CloudFormation templates which have nothing to do with serverless solutions. Not to mention, this issue tends to be top of the Google search results for this particular issue. I can see why the confusion.

[GavinZZ]

@tyliggity Let me rephrase. If the template uses SAM Transform, it’s recommended to use SAM CLI. However, if it’s a pure CloudFormation template, it definitely make sense to use AWS CLI.

I’ll help cut an issue to aws-cli repository to provide a more meaningful error message.