Serverless-application-model: cloudformation deploy exits without useful message

Just an update:

Having only this cloudformation action allowed cloudformation:DescribeStacks will give this error:

An error occurred (AccessDenied) when calling the CreateChangeSet operation: User: arn:aws:iam::account_id:user/user_name is not authorized to perform: cloudformation:CreateChangeSet

So when I allow cloudformation:CreateChangeSet by adding it to the policy, then the deploy command exits and all I see is this:

Waiting for changeset to be created..

'Status'

I'm guessing I need to allow more actions but there is no error message telling me what I'm missing. This is probably an awscli cloudformation issue I'm guessing.

Does it complete if you call deploy with '--no-execute-changeset' option?
If yes, then you might be missing cloudformation:ExecuteChangeSet permission.

aws cloudformation deploy --template-file new_template.yml --stack-name stack_name --capabilities CAPABILITY_IAM --profile profile_name --no-execute-changeset

This produces the same result.

Allowing cloudformation:* in the policy causes it to work.

deploy command calls CreateChangeSet API followed by ExecuteChangeSet API. You should have both permissions in your policy for this to work. Of course, you should have permissions to create/manage the resources specified in your template.

My guess is that the CLI does not handle exceptions when calling ExecuteChangeSet. Needs more investigation

@sanathkr I copied and pasted your api_gateway code, and the deployed failed. Here is the detailed info, and hopefully this gives you some info to help out.

1) First, I replaced my specific s3 bucket name to in the template.yaml
`AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: Simple CRUD webservice. State is stored in a SimpleTable (DynamoDB) resource.
Resources:
GetFunction:
Type: AWS::Serverless::Function
Properties:
Handler: index.get
Runtime: nodejs4.3
CodeUri: s3://serverless-asset/api_backend.zip
Policies: AmazonDynamoDBReadOnlyAccess
Environment:
Variables:
TABLE_NAME: !Ref Table
Events:
GetResource:
Type: Api
Properties:
Path: /resource/{resourceId}
Method: get

PutFunction:
Type: AWS::Serverless::Function
Properties:
Handler: index.put
Runtime: nodejs4.3
CodeUri: s3://serverless-asset/api_backend.zip
Policies: AmazonDynamoDBFullAccess
Environment:
Variables:
TABLE_NAME: !Ref Table
Events:
PutResource:
Type: Api
Properties:
Path: /resource/{resourceId}
Method: put

DeleteFunction:
Type: AWS::Serverless::Function
Properties:
Handler: index.delete
Runtime: nodejs4.3
CodeUri: s3://serverless-asset/api_backend.zip
Policies: AmazonDynamoDBFullAccess
Environment:
Variables:
TABLE_NAME: !Ref Table
Events:
DeleteResource:
Type: Api
Properties:
Path: /resource/{resourceId}
Method: delete

Table:
Type: AWS::Serverless::SimpleTable
`
2) then I use the following command to package and deploy the stack
$aws cloudformation package --template-file template.yaml --output-template-file new_template.yaml --s3-bucket s3://serverless-asset

$aws cloudformation deploy --template-file ./serverless/example_api_backend/new_template.yaml --stack-name serverless-api-backend-test-4 --capabilities CAPABILITY_IAM

3) Then awscli told me it failed, and I searched what action/step failed

$ aws cloudformation describe-stack-events --stack-name serverless-api-backend-test-4 |grep FAILED
_"EventId": "Table-CREATE_FAILED-2017-05-04T18:55:55.655Z",
"ResourceStatus": "CREATE_FAILED",
"EventId": "PutFunctionRole-CREATE_FAILED-2017-05-04T18:55:55.032Z",
"ResourceStatus": "CREATE_FAILED",
"EventId": "DeleteFunctionRole-CREATE_FAILED-2017-05-04T18:55:54.906Z",
"ResourceStatus": "CREATE_FAILED",
"EventId": "GetFunctionRole-CREATE_FAILED-2017-05-04T18:55:54.702Z",
"ResourceStatus": "CREATE_FAILED",_

After grant this user, I called it serverlessAdmin, all permissions (essentially an account admin), the above errors goes away. But I don't think it's a good practice. Would be great if we can find out the minimal Policy that should be attached to this user.

I was facing the same problem and yeah adding permissions helped but ideally I would like to see an error message that describes to me what went wrong

I just got this issue and it's because I was missing the cloudformation:DescribeChangeSet permission.

Nothing actionable here. Closing

For anybody visiting here with a similar issue I had this problem but there were no Events in Cloudformation alerting me to missing permissions. I then used aws cloudformation execute-change-set which failed and alerted me to the missing permissions in the Cloudformation dashboard. After adding what I now believe are the minimum permissions execute-change-set works but deploy still does not.

My current understanding of minimum permissions

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject"
            ],
            "Resource": "arn:aws:s3:::your-bucket/*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "cloudformation:DescribeStacks",
                "cloudformation:ExecuteChangeSet",
                "cloudformation:GetTemplateSummary"
            ],
            "Resource": "arn:aws:cloudformation:your-region:your-account:stack/your-stack/*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "cloudformation:CreateChangeSet"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:GetRole"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "lambda:UpdateFunctionCode",
                "lambda:GetFunctionConfiguration"
            ],
            "Resource": "arn:aws:lambda:your-region:your-account:function:your-function"
        }
    ]
}