AWS Serverless Application Publish via Visual Studio

Question

Using .Net Core, visual studio 2017 and AWS Toolkit for Visual 2017, I created a basic web api, the api works as designed.

However when it comes to publishing/deploying it, the first time works perfectly when the Stack doesnt exist, creates everything its suppose to. When I make a change and need to re-deployed/publish, it comes back with the following error.

Error creating CloudFormation change set: Stack [TestStack] already exists and cannot be created again with the changeSet [Lambda-Tools-636366731897711782].

Just above the error message is this

Found existing stack: False

Im wondering if there is something not quite right with it detecting if the Stack exists.

Im just wondering if Im missing something, or if this is actually be design, as for me to republish it I have to log into my AWS Console and go into the cloud formation section and delete the existing Stack.

Publish Dialog

Project Structure

Answer 1

I was using the CodeBuild pipeline and was facing the same issue.

As, CodeBuild pipeline uses IAM role, I ended up adding below permssions to IAM Role.

{
        "Sid": "VisualEditor1",
        "Effect": "Allow",
        "Action": [
            "iam:GetRole",
            "s3:ListBucket",
            "cloudformation:DescribeStackResource",
            "cloudformation:CreateChangeSet",
            "s3:GetBucketAcl",
            "cloudformation:GetTemplateSummary",
            "cloudformation:DescribeStacks",
            "s3:PutObject",
            "s3:GetObject",
            "lambda:UpdateFunctionCode",
            "cloudformation:DescribeStackEvents",
            "lambda:ListTags",
            "cloudformation:UpdateStack",
            "cloudformation:DescribeChangeSet",
            "s3:GetBucketLocation",
            "cloudformation:ExecuteChangeSet",
            "s3:GetObjectVersion",
            "cloudformation:ListChangeSets"
        ],
        "Resource": "*"
    }

If you are deploying using Visual Studio, you must have added IAM User Profile in your VS.

Please make sure your IAM user have above permsssions.

Answer 2

AWS' Serverless Application Model is … very new still. And for lack of any documentation about what IAM permission one needs to deploy an App with their CLI, I've worked out this policy that seems to work, and only grants the least needed permissions for the task.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "lambda:UpdateFunctionCode",
                "s3:PutObject",
                "cloudformation:DescribeStackEvents",
                "cloudformation:UpdateStack",
                "cloudformation:DescribeStackResource",
                "cloudformation:CreateChangeSet",
                "cloudformation:DescribeChangeSet",
                "cloudformation:ExecuteChangeSet",
                "cloudformation:GetTemplateSummary",
                "cloudformation:ListChangeSets",
                "cloudformation:DescribeStacks"
            ],
            "Resource": [
                "arn:aws:lambda:*:123456789012:function:*-SAM-*",
                "arn:aws:cloudformation:*:123456789012:stack/<STACK NAME OR GLOB>/*",
                "arn:aws:cloudformation:<AWS_REGION>:aws:transform/Serverless-2016-10-31",
                "arn:aws:s3:::aws-sam-cli-managed-default-samclisourcebucket-*/*"
            ]
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucketMultipartUploads"
            ],
            "Resource": "arn:aws:s3:::aws-sam-cli-managed-default-samclisourcebucket-*"
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": "cloudformation:ValidateTemplate",
            "Resource": "*"
        }
    ]
}

Note:

Replace <STACK NAME OR GLOB> with something that best suits your needs, like:

• * If you don't care which CloudFormation Stack this grants access to
• *-SAM-* If you name your SAM CloudFormation apps with some consistency

Replace <AWS_REGION> with the region you're operating in.

The arn:aws:s3:::aws-sam-cli-managed-default-samclisourcebucket-* is the standard bucket naming that SAM CLI uses for creating a bucket for deploying CloudFormation Templates or Change Sets. You could alter this to explicitly be the name of the bucket SAM created for you.

Answer 3

After a bit of digging, and general trial and error. I believe this is actually to do with permissions of the user performing the publish. (The user in AWS)

I changed an inline policy to

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "cloudformation:*"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

Where cloudformation:* used to be several lines for individual permissions.

This now successfully publishes over an existing Stack, however visual studio doesnt like it and crashes. (Although the update does go through to AWS)