Reputation: 19225
CloudFormation "You are not authorized to perform this operation" creating SubnetRouteTableAssociation
On a CloudFormation stack I get error on an operation of type AWS::EC2::SubnetRouteTableAssociation:
The exact error is:
Resource handler returned message: "You are not authorized to perform this operation.
(Service: Ec2, Status Code: 403, Request ID: XXXXXXXX, Extended Request ID: null)"
(RequestToken: XXXXXXXX, HandlerErrorCode: GeneralServiceException)
What bothers me is that I cannot see what API call has failed. Normally, I think it would have the operation name in parentheses so that it is easier to identify what goes on. Anyways, I'm taking a guess and assuming that it is the AssociateRouteTable permission that the user doesn't have. But user has this permission.
Question: How can I identify the type of API Action that I need to grant the IAM user in question?
What I've tried
I've tried to do (what I believe is) the same from the CLI:
aws ec2 associate-route-table \
--subnet-id <subnet-id> \
--route-table-id <route-table-id>
(obviously with the same values as my CloudFormation would be using). Doing it via the CLI works and correctly puts an event into the CloudTrail Event history of type AssociateRouteTable. But when I do it via CloudFormation I get the above error and no trace of any AssociateRouteTable event in the CloudTrail Event history.
Upvotes: 1
Views: 1617
Answers (1)
Reputation: 19225
This turned out to be very difficult to figure out. In the end I resorted to deploying the CloudFormation template from a user with AdministratorAccess policy. This worked, unsurprisingly, and provided me with "debug" information. From this action I could look into CloudTrail Event history and see that CloudFormation would execute several API calls in order to satisfy the AWS::EC2::SubnetRouteTableAssociation resource type. These were:
ec2:DescribeSubnetsec2:DescribeRouteTablesec2:AssociateRouteTable
The last one on the above list would be no surprise. In my case the user was missing the permission to do ec2:DescribeRouteTables and the CloudFormation deploy would therefore fail with said error message. After adding this permission to user it now works.
This also explains why it worked when I executed the aws ec2 associate-route-table CLI command vs not worked from CloudFormation. The two are not (exactly) the same.
Go figure!
I sincerely doubt the majority of AWS nerds would go through same steps I've taken in order to figure this out, so I'm thinking there must be some documentation I've missed. Also, I still cannot explain why the failed API call does not show up in CloudTrail Event History. Alas, it works now, so I'm packing up.
Upvotes: 2
Related Questions
- CloudFormation is not authorized to perform: iam:PassRole on resource
- AWS CloudFormation: "Parameter [subnetIds] is invalid"
- User is not authorized to perform: cloudformation:CreateStack
- AWS CloudFormation: Unable to import resources of type SubnetRouteTableAssociation, VPCGatewayAttachment and Route
- cloudformation failed to create subnets
- Subnet Creation in AWS CloudFormation fails with InvalidSubnet.Range
- AWS CloudFormation error with Security Groups and Network Interfaces, Invalid Parameter Combination
- Getting error while passing multiple security groups to Network Interface via Cloudformation
- Network interface. and an instance-level subnet ID may not be specified on same request Cloud-Formation
- CloudFormation - user does not own network ACL