Cloudformation-coverage-roadmap: AWS::CloudFormation::StackSet - enable SERVICE_MANAGED permission model in delegated account

Created on 3 Mar 2021 · 14Comments · Source: aws-cloudformation/cloudformation-coverage-roadmap

AWS::CloudFormation::StackSet can successfully use PermissionModel: SERVICE_MANAGED in the management account of an AWS Organization, but it currently fails in a delegated account with failure You must be the master or delegated admin account of an organization before operating a SERVICE_MANAGED stack set .

Note that I tested deploying a stack set in the delegated account through the web console and was successful, so I suspect this _might_ be something to do with CloudFormation needing to set callAs on the call to createStackSet (https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_CreateStackSet.html)

Source

mikebroberts

👍21

Most helpful comment

Hi folks, StackSets PM here. This is a miss on our part. We are aware of the missing support for creating and managing a Service Managed StackSet from a registered Delegated Admin account in your AWS Organization using the AWS::CloudFormation::StackSet resource. We are working to resolve it by implementing the --CallAs attribute within the resource. And, we expect to launch it by end of Q2.

anandsurada on 14 Apr 2021

❤7

All 14 comments

This one's very important to my org too! We have a feature request open for this bug - I believe the more of us who add our voices to the feature request, the higher priority it will become...

nbmha1 on 31 Mar 2021

👍2

Just hit this issue myself. Want to use a delegated security account to deploy guardduty members across all accounts in my control tower, but alas I must create this stack set in the maanagement account.

Is this a bug or feature request? ;)

adamcousins on 8 Apr 2021

Running into this same issue.

tylerapplebaum on 13 Apr 2021

anandsurada on 14 Apr 2021

❤7

Thanks @anandsurada !

mikebroberts on 14 Apr 2021

Just tripped over this myself. Annoying as the error message makes it seems like it's supported when it's not.

rshayman on 18 Apr 2021

Please get this resolved soon... it just stopped my project in its tracks.

tomekklas on 4 May 2021

Any updates on this please team? @anandsurada
About to start building a solution which this feature would heavily rely on .
I dont want to create stack sets in the management account if I could avoid it.

adamcousins on 13 May 2021

There's now a CallAs attribute on the StackSet resource, which looks like it addresses this issue. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudformation-stackset.html#cfn-cloudformation-stackset-callas

jfoy on 19 May 2021

Hi folks, Yes, we launched this yesterday! The CallAs attribute should now be available in the StackSet Resource. Thanks @jfoy for sharing the documentation link here.

anandsurada on 20 May 2021

❤2

Confirmed - I just tried this and it worked first time. And still 6 weeks left in Q2 @anandsurada ! :)

Thanks!

mikebroberts on 20 May 2021

@anandsurada Do you know if this update has enabled CodePipeline to create service managed StackSets as mentioned in #796 or would implementation fall to a different team?

PCIS-Paul on 21 May 2021

@anandsurada Do you know if this update has enabled CodePipeline to create service managed StackSets as mentioned in #796 or would implementation fall to a different team?

@anandsurada I am also interested in this functionality working for CodePipeline as well.

cdsnaps on 8 Jun 2021

Hi @PCIS-Paul, That would involve updating the StackSet action in Code Pipeline and would fall under a different team. Let me reach out to the Code Pipeline team and get their attention on #796 .

anandsurada on 8 Jun 2021

👍2

Was this page helpful?

0 / 5 - 0 ratings