aws-control-tower-customizations icon indicating copy to clipboard operation
aws-control-tower-customizations copied to clipboard

Published 20 hours ago verified publisher icon aws-solutions

Error when using cloudformation_resource with template in public S3

Open zoellner opened this issue 5 years ago • 2 comments
trafficstars

I have a cloudformation_resources entry

  - name: StackSetExecutionRole
    template_file: s3://cloudformation-stackset-sample-templates-us-east-1/AWSCloudFormationStackSetExecutionRole.yml
    parameter_file: parameters/stack-set-execution-role.json
    deploy_method: stack_set
    deploy_to_ou: # :type: list
      - Custom
    regions:
      - us-east-1

The initial deployment was fine but the subsequent deployment fails with this error:

{"time_stamp": "2020-10-20 11:44:15,382","log_level": "INFO","log_message": Comparing the template of the StackSet: CustomControlTower-StackSetExecutionRole with local copy of template}
--
895 |  
896 | {"time_stamp": "2020-10-20 11:44:15,382","log_level": "INFO","log_message": Downloading cloudformation-stackset-sample-templates-us-east-1/AWSCloudFormationStackSetExecutionRole.yml from S3 to /tmp/tmpejy3m4eg}
897 |  
898 | {"time_stamp": "2020-10-20 11:44:15,433","log_level": "ERROR","log_message": Unhandled Exception: An error occurred (403) when calling the HeadObject operation: Forbidden}

So somehow the build script isn't able to download/compare the publicly accessible file in S3?

zoellner avatar Oct 20 '20 11:10 zoellner

@zoellner Seems there is 403 Forbidden for this S3 object. Can you please confirm the S3 bucket policy allows this function to download the file?

groverlalit avatar Oct 26 '20 19:10 groverlalit

That S3 object isn't mine but belongs to AWS. I am assuming it is public as it is linked here under Set up basic permissions for stack set operations: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-prereqs-self-managed.html

zoellner avatar Oct 26 '20 19:10 zoellner