AWS CloudFormation Stack update error: Requires capabilities : [CAPABILITY_IAM]

Question

When creating a stack with CloudFormation, I get this error:

Stack update error: Requires capabilities : [CAPABILITY_IAM]

I can't find a template for adding CAPABILITIES_IAM to the CloudFormation configuration.

What are the options for resolving CAPABILITIES_IAM errors?

Answer 1

Turns out you need to check a box on the last screen of the stack creation. If you are using the console, just above the 'create stack' button there's a box asking you to acknowledge that you want to allow Cloudformation to modify IAM stuff. You can, of course, create the stack without the acknowledgement, which will cause the stack to fail with the CAPABILITY_IAM error (or another error, if a different capability is required).

In CodePipeline CloudFormation you can add it like this to allow execution of the created change_set in the deploy action:

Configuration:
        StackName: !Ref GitHubRepository
        ActionMode: CHANGE_SET_REPLACE
        Capabilities: CAPABILITY_NAMED_IAM
        RoleArn: arn:aws:iam::818272543125:role/events-list-codepiplinerole
        ChangeSetName: !Join ["",[!Ref GitHubRepository, "-changeset"]]
        TemplatePath: MyAppBuild::sam_post.yaml

In the aws cli append

--capabilities CAPABILITY_IAM

or

--capabilities CAPABILITY_NAMED_IAM

To your command like this:

aws cloudformation create-stack --stack-name message-store --template-body file://bucket_with_keys.yaml --parameters file://cfg_bucket_with_keys.json --capabilities CAPABILITY_NAMED_IAM

This does not apply to cloudformation --validate-template as it is not actually creating the resources.

Answer 2

If you are using the AWS CLI, you can add an extra parameter to the aws cloudformation create-stack command that explicitly states you want these capabilities provided.

(this is the CLI equivalent of ticking the checkbox in the other answer here).

The parameter is --capabilities CAPABILITY_IAM, so your command would look like:

aws cloudformation create-stack --stack-name $STACK_NAME --capabilities CAPABILITY_IAM

Hope that helps

Answer 3

In the case you are using SAM,

• Possibility 1: use sam deploy --guided and at the prompt:

"SAM needs permission to be able to create roles to connect to the resources in your template Allow SAM CLI IAM role creation"

answer yes. However it will not work if you need the CAPABILITY_NAMED_IAM.

• Possibility 2: pass it as argument in the cli

sam deploy --capabilities CAPABILITY_IAM

or

sam deploy --capabilities CAPABILITY_NAMED_IAM

or both:

sam deploy --capabilities CAPABILITY_IAM CAPABILITY_NAMED_IAM

• Possibility 3: edit the samconfig.toml file (or however you named the config file) in this way:

capabilities = "CAPABILITY_IAM CAPABILITY_NAMED_IAM"

which enables you to simply use sam deploy every time without arguments

Answer 4

Just above the create stack button, turn on acknowledge in the console.

Answer 5

If "CAPABILITY_IAM" is not supported, you can try "CAPABILITY_NAMED_IAM"

https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_CreateStack.html

Answer 6

In case someone comes here from Google (like I did) and is using Terraform, make sure you add a capabilities argument:

resource "aws_cloudformation_stack" "cloudformation_stack" {
  # ...
  capabilities = [ "CAPABILITY_IAM" ]
}

Answer 7

If anybody face the same problem trying to deploy using SAM, you just need to add the --capabilities flag:

sam deploy --guided --capabilities CAPABILITY_NAMED_IAM

using-iam-capabilities