Description
When provisioning an IAM resource using AWS Cloud Formation Template, you might received the following error:
Failed to execute API - Failed with status code and message: 400: <ErrorResponse xmlns="http://cloudformation.amazonaws.com/doc/2010-05-15/"> <Error> <Type>Sender</Type>
<Code>InsufficientCapabilitiesException</Code> <Message>Requires capabilities : [CAPABILITY_NAMED_IAM]</Message>
</Error> <RequestId>xxxxxxx</RequestId> </ErrorResponse> (script_include:CloudRESTAPIInvoker; line 142)
Release or Environment
Any
Cause
This is a common AWS error whenever a stack is trying to create a IAM (aws access related) resource, it needs a certain flag for it to be allowed.
According to AWS, this can be solved with adding parameter: “ --capabilities CAPABILITY_NAMED_IAM ” when running it from the command line. Or by clicking the "IAM capability" checkbox when running it from AWS GUI.
Resolution
In order to replicate AWS requirement to pass the parameter, perform the following:
- From Cloud Admin Portal - Design - Cloud Catalog items, open the IAM CFT template you have created earlier.
- On the related links, Click on Manage Attributes, then Click on Blueprint Container Resource.Provision.
- On the operation attributes, click AdditionalAPIParameters.
- In the mapping column, put the following JSON and then save/update it.
{
"Capabilities.member.1": "CAPABILITY_NAMED_IAM"
}
Sometimes, passing the parameter is not enough to successfully provision the IAM account. If that is the case, contact the AWS admin team to implement the following permission for the AWS credential used for this activity:
{
"Effect": "Allow",
"Action": [
"iam:GenerateCredentialReport",
"iam:GenerateServiceLastAccessedDetails",
"iam:Get*",
"iam:List*",
"iam:Role*",
"iam:SimulateCustomPolicy",
"iam:SimulatePrincipalPolicy"
],
"Resource": "*"
}