By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Permission Error while deploying CloudFormation Stack with Amazon Verified Permissions

0

Hello together. 5 days ago aws released a quick-start tutorial for Amazon Verified Permissions(AVP) on Youtube. I want to use AVP with my Cognito Instance and API Gateway. At Minute 07:25 we have to deploy a CloudFormation Stack. This stack runs on an error. I have tried it several times. The creation of LambaServiceRole seams to be the root cause (or the first) which ends with the status "CREATION_FAILED". I got this information from the "Events" tab in the created stack. The status reason is the following:

Resource handler returned message: "The security token included in the request is invalid (Service: Iam, Status Code: 403, Request ID: 336205ef-2de2-482f-aded-7c6fb5db05b9)" (RequestToken: 1f125552-3390-2f9a-72c7-31acc77a2387, HandlerErrorCode: AccessDenied)

I do not have any ideas how to solve this issue. I´m working with the root user. So there shouldn´t be any permission restrictions on that user. I appreciate every help. Thank you very much.

Best whishes Philipp

Topics
Management & GovernanceSecurity, Identity, & Compliance
Tags
AWS CloudFormationAmazon Verified Permissions
Language
English
Philschke
asked 19 days ago183 views
2 Answers
0

Hi,

I just tested it, the cloudformation seems to work correctly in my case. Since you are using the root user, the only plausible explanation would be the issue is being caused by higher level restrictions i.e. imposed by an AWS Organizations service control policy (SCP) that affects your AWS account. In this case, you would need to review and update the SCP to grant the necessary permissions.

If it is not SCP related, I would suggest you to approach AWS support, since this issue could be specific to your account.

Thanks, Rama

profile pictureAWS
Rama
answered 19 days ago
profile picture
EXPERT
Giovanni Lauria
reviewed 19 days ago
  • Philschke
    18 days ago

    Hi Rama. Thank you for the testing of my problem. Good to know, that the steps in the tutorial works fine. My AWS account doesn´t belong to an AWS organization. So there are no SCPs present. I will ask my question to AWS support. If anyone still has a hint, I would be very grateful. Thanks, Philipp

0

I've had the same issue with getting 403s on creating the AVPAuthorizerLambdaServiceRole when following the same steps in the tutorial. We're using a user with Administrator Access.

In our case, it doesn't seem to be associating an IAM role with the created stack, so it fails on deployment.

I'm not sure why it's not setting it, but I was able to create the AVPAuthorizer in CloudFormation manually by doing the following:

  • Downloading the template for the failed AVPAuthorizer in CF
  • Creating a new stack using this template
  • Setting the correct IAM role on the Permissions section (Step 3)

This creates the AVP Authorizer for us but we want to have it create via the AVP Cognito / API Gateway setup options.

ChiaC
answered 18 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content