I am exploring how to delegate Cloudformation permission to other users by testing specifying a role when creating a stack. I notice that some resources like VPC, IGW and EIP can be created but error was prompted. The created resources cannot be deleted by the stack also during rollback or stack deletion.
For example, the following simple template create a VPC:
Resources:
VPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.3.9.0/24
I have actually created a role to specify during creation with policy which allow a lot of actions that I collected by querying the cloudtrail using athena. The following are already included:
"ec2:CreateVpc","ec2:DeleteVpc","ec2:ModifyVpcAttribute"
However, the following occur during creation:
Resource handler returned message: "You are not authorized to perform this operation. (Service: Ec2, Status Code: 403, Request ID: bf28db5b-461e-48ff-9430-91cc05be77ef)" (RequestToken: bc6c6c87-a616-2e94-65eb-d4e5488a499a, HandlerErrorCode: AccessDenied)
Looks like some callback mechanisms are used? The VPC was actually created.
The deletion was also failed but it did not succeeded.
Resource handler returned message: "You are not authorized to perform this operation. (Service: Ec2, Status Code: 403, Request ID: f1e43bf1-eb08-462a-9788-f183db2683ab)" (RequestToken: 80cc5412-ba28-772b-396e-37b12dbf8066, HandlerErrorCode: AccessDenied)
Any hint about this issue? Thanks.
Thanks. Actually I did try to find corresponding cloudtrail log but could not really figure out what were denied even with this very simple example. There are not really many logs and so I am not sure whether I miss something else.
Also thanks for the suggestion about service catalog. Will take a look at the workshop.
PS Notice that it is easier to search the cloudtrail using the corresponding requestid. Will try to fix the policy based on the error.