S3 error: Access Denied when deploying CFN template with Nested Stacks

2
votes

I am trying to launch a CFN templated, Nested Stack. The child stack is in a bucket in the same region as the parent I am trying to launch via CFN console.

I have Administrator Access and am able to create the resources via a single CFN template, but for some reason, when using nested stacks the follow error is returned:

The following resource(s) failed to create: [My-Sns-Stack]. . Rollback requested by user.
My-Sns-Stack    CREATE_FAILED   S3 error: Access Denied For more information check http://docs.aws.amazon.com/AmazonS3/latest/API/ErrorResponses.html

I've checked the following resources, but doesn't resolve the issue:

Specifying an S3 bucket when deploying a cloudformation template

https://www.reddit.com/r/aws/comments/bjk3qw/cloudformation_nested_stacks_s3_access/

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-stack.html

...
    Resources:
        SnsStack:
            Type: AWS::CloudFormation::Stack
            Properties:
                TemplateURL: !Ref SnsStackUrl
                TimeoutInMinutes: 15
...
1
amazon-web-servicesamazon-s3amazon-cloudformation
Are there any bucket policies? Are you deploying the template with custom CloudFormation role, or using instance role?Marcin
No bucket policies, default. I've tried deploying with a custom IAM role for CFN (Administrator access), AND also without a role (I have Administrator access), so it should assume my permissions.user10756193

1 Answers

6
votes

I found this error less than useful as I assumed it was to with the CloudFormation template not having access to the S3 resources referenced within in. Turns out it was more simple and the 'Access Denied' error was actually indicating the S3 file containing my CloudFormation template was not found. Within the reference to my nested CloudFormation stack, the TemplateURL: had a typo.