devsecops-example-helloworld icon indicating copy to clipboard operation
devsecops-example-helloworld copied to clipboard
verified publisher icon boozallen

An error occurred (InsufficientCapabilitiesException) when calling the UpdateStack operation: Requires capabilities : [CAPABILITY_NAMED_IAM]

Open threezerous opened this issue 8 years ago • 3 comments

Hello,

I am kind of a noob to cloudformation, learning and trying out the example as I progress. So, apologies in advance, if this is something too obvious. I was able to get as far in the installation as creating the stack with network/hello-world using the listed policy. However, the step of updating the stack with security/hello-world(https://github.com/boozallen/devsecops-example-helloworld/blob/master/cloud-formation/security/helloworld/main.yml) fails with the error An error occurred (InsufficientCapabilitiesException) when calling the UpdateStack operation: Requires capabilities : [CAPABILITY_NAMED_IAM]

I attempted adding the --capabilities CAPABILITY_IAM to my CLI as below, but that didn't help. aws cloudformation update-stack --stack-name myteststack --template-url https://s3.amazonaws.com/sushanttest/cloud-formation/security/helloworld/main.yml --parameters ParameterKey=Environment,ParameterValue=dev ParameterKey=VPCCIDRBlock,ParameterValue=172.27.10.0/24 ParameterKey=PrivilegedCIDR1,ParameterValue=172.27.0.10 ParameterKey=ProvisioningBucket,ParameterValue=resourcesdevsecops --capabilities CAPABILITY_IAM

Is there a specific IAM role that I need to create separately? It should be part of the stack, right?

Thanks in advance

threezerous avatar Dec 18 '17 12:12 threezerous

Actually, the issue got resolved after I updated the command as

aws cloudformation update-stack --stack-name myteststack --template-url https://s3.amazonaws.com/sushanttest/cloud-formation/security/helloworld/main.yml --parameters ParameterKey=Environment,ParameterValue=dev ParameterKey=VPCCIDRBlock,ParameterValue=172.27.10.0/24 ParameterKey=PrivilegedCIDR1,ParameterValue=172.27.0.10 ParameterKey=ProvisioningBucket,ParameterValue=resourcesdevsecops --capabilities CAPABILITY_NAMED_IAM

threezerous avatar Dec 19 '17 00:12 threezerous

Yes, @threezerous you need to use CAPABILITY_NAMED_IAM because the cloudformation template creates a role and an instance profile with a custom name. See also https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_CreateStack.html

robproper avatar Dec 19 '17 03:12 robproper

hey, no idea had to use the --capabilities CAPABILITY_NAMED_IAM option at all. Thanks for the tips!

icecream-monster avatar Apr 25 '21 00:04 icecream-monster