调用 CreateStack 操作时发生错误（AccessDenied）：

Question

An error occurred (AccessDenied) when calling the CreateStack operation: User: arn:aws:iam::812520856627:user/dimitris is not authorized to perform: cloudformation:CreateStack on resource: arn:aws:cloudformation:us-west-2:812520856627:stack/blog-stage/*

我试图在命令上运行它：

aws cloudformation create-stack --stack-name blog-stage --template-body file://$PWD/stack.yml --profile demo --region us-west-2

Resources:
  AppNode:
    Type: AWS::EC2::Instance
    Properties:
        InstanceType: t2.micro
        ImageId: ami-0c579621aaac8bade
        KeyName: jimapos
        SecurityGroups:
          - !Ref AppNodeSG
  AppNodeSG:
    Type: AWS::EC2::SecurityGroup
    Properties:
        GroupDescription: for the app nodes that allow ssh, http and docker ports
        SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: '80'
          ToPort: '80'
          CidrIp: 0.0.0.0/0
          - IpProtocol: tcp
          FromPort: '22'
          ToPort: '22'
          CidrIp: 0.0.0.0/0

Answer 1

您正在尝试针对 User dimitris 创建堆栈，而该堆栈未被授权执行 cloudformation:CreateStack

To assign permission to the user goto https://console.aws.amazon.com/iam/home#/home -> 用户 -> 选择用户 -> 添加权限

尝试使用用户限制添加此策略。

示例 授予创建和查看堆栈操作的示例策略

{
    "Version":"2012-10-17",
    "Statement":[{
        "Effect":"Allow",
        "Action":[
            "cloudformation:CreateStack",
            "cloudformation:DescribeStacks",
            "cloudformation:DescribeStackEvents",
            "cloudformation:DescribeStackResources",
            "cloudformation:GetTemplate",
            "cloudformation:ValidateTemplate"  
        ],
        "Resource":"*"
    }]
}

您可以查看此link 以自定义或将策略重新粘贴到特定资源。

您可以创建自定义策略，也可以附加以下现有策略。