InsufficientCapabilitiesException [CAPABILITY_NAMED_IAM] when creating a stack with IAM policies

21
votes

I get this error when I run create-stack for a cloudformation template that contains IAM policies.

aws cloudformation create-stack --stack-name iam-stack --template-body file://./iam.yml --capabilities CAPABILITY_IAM --profile dev

An error occurred (InsufficientCapabilitiesException) when calling the CreateStack operation: Requires capabilities : [CAPABILITY_NAMED_IAM]

4
amazon-web-servicesamazon-cloudformation
Possible duplicate of AWS Stack update error: Requires capabilities : [CAPABILITY_IAM]Eric Nord

4 Answers

37
votes

Change --capabilities to CAPABILITY_NAMED_IAM

If you have IAM resources with custom names, you must specify CAPABILITY_NAMED_IAM. If you don't specify this parameter, this action returns an InsufficientCapabilities error.

https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_CreateStack.html

4
votes

As per AWS docs, If you specify a Role name in cloud formation, you must specify the CAPABILITY_NAMED_IAM value to acknowledge your template's capabilities Link

So your command should be

aws cloudformation create-stack --stack-name iam-stack --template-body file://./iam.yml --capabilities CAPABILITY_NAMED_IAM --profile dev
0
votes

In my case I needed both CAPABILITY_IAM and CAPABILITY_NAMED_IAM capabilities for a resource of type "AWS::IAM::Role".

https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/CloudFormation.html#createStack-property

0
votes

If you are using AWS CodePipeline to deploy an EC2 using a CloudFormation stack, there is an option called "Capabilities" from which you can select CAPABILITY_NAMED_IAM.