Permission issue on resource arn:aws:cloudformation:us-east-1:aws:transform












0















I am trying to integrate swagger with api gateway and lambda using swagger extensions. Swagger file is uploaded in a S3 bucket, I am using Body with transform and include as below



Using BodyS3Location in AWS::ApiGateway::RestApi properties returns error Unable to parse API definition because of a malformed integration for the same integration mentioned above I referred Swagger file with AWS Extensions stored in S3 Bucket for API Creation with Cloudformation.



and modified the template as below for AWS::ApiGateway::RestApi properties

Body:
Fn::Transform:
Name: AWS::Include
Parameters:
Location:
Fn::Sub: "s3://${BucketName}/apiSwaggerSpec.yaml"



For the stack above I have all the permission on cloudformation actions



Below code I have added as swagger extension.

x-amazon-apigateway-auth:
type: "aws_iam"
x-amazon-apigateway-integration:
type: "aws_proxy"
httpMethod: "POST"
passthroughBehavior: "when_no_match"
uri:
Fn::Sub: "arn:aws:apigateway:us-east-1:lambda:path/2015-03-31/functions/arn:aws:lambda:us-east-1:${accountId}:function:testLambdaFunction/invocations"
credentials:
Fn::Sub: "arn:aws:iam::${accountId}:role/${myRole}"
responses:
default:
statusCode: 200



I am getting permission denied error with message as
myrole is not authorized to perform cloudformation:CreateChangeSet on resource: arn:aws:cloudformation:us-east-1:aws:transform/include



Do I need to add special permissions for transform/include. aws documentation says it doesn't need special permissions?










share|improve this question























  • Is your CloudFormation Role able to access the Swagger-File in the Bucket, i.e. does it have the permissions to do so?

    – Maurice
    Jan 1 at 23:43













  • yes, bucket is public and for "myRole" I have "cloudformation:*" actions allowed for the stacks with prefix "apiGlobal", Here my stack name is apiGlobal

    – Steve
    Jan 3 at 6:05


















0















I am trying to integrate swagger with api gateway and lambda using swagger extensions. Swagger file is uploaded in a S3 bucket, I am using Body with transform and include as below



Using BodyS3Location in AWS::ApiGateway::RestApi properties returns error Unable to parse API definition because of a malformed integration for the same integration mentioned above I referred Swagger file with AWS Extensions stored in S3 Bucket for API Creation with Cloudformation.



and modified the template as below for AWS::ApiGateway::RestApi properties

Body:
Fn::Transform:
Name: AWS::Include
Parameters:
Location:
Fn::Sub: "s3://${BucketName}/apiSwaggerSpec.yaml"



For the stack above I have all the permission on cloudformation actions



Below code I have added as swagger extension.

x-amazon-apigateway-auth:
type: "aws_iam"
x-amazon-apigateway-integration:
type: "aws_proxy"
httpMethod: "POST"
passthroughBehavior: "when_no_match"
uri:
Fn::Sub: "arn:aws:apigateway:us-east-1:lambda:path/2015-03-31/functions/arn:aws:lambda:us-east-1:${accountId}:function:testLambdaFunction/invocations"
credentials:
Fn::Sub: "arn:aws:iam::${accountId}:role/${myRole}"
responses:
default:
statusCode: 200



I am getting permission denied error with message as
myrole is not authorized to perform cloudformation:CreateChangeSet on resource: arn:aws:cloudformation:us-east-1:aws:transform/include



Do I need to add special permissions for transform/include. aws documentation says it doesn't need special permissions?










share|improve this question























  • Is your CloudFormation Role able to access the Swagger-File in the Bucket, i.e. does it have the permissions to do so?

    – Maurice
    Jan 1 at 23:43













  • yes, bucket is public and for "myRole" I have "cloudformation:*" actions allowed for the stacks with prefix "apiGlobal", Here my stack name is apiGlobal

    – Steve
    Jan 3 at 6:05
















0












0








0








I am trying to integrate swagger with api gateway and lambda using swagger extensions. Swagger file is uploaded in a S3 bucket, I am using Body with transform and include as below



Using BodyS3Location in AWS::ApiGateway::RestApi properties returns error Unable to parse API definition because of a malformed integration for the same integration mentioned above I referred Swagger file with AWS Extensions stored in S3 Bucket for API Creation with Cloudformation.



and modified the template as below for AWS::ApiGateway::RestApi properties

Body:
Fn::Transform:
Name: AWS::Include
Parameters:
Location:
Fn::Sub: "s3://${BucketName}/apiSwaggerSpec.yaml"



For the stack above I have all the permission on cloudformation actions



Below code I have added as swagger extension.

x-amazon-apigateway-auth:
type: "aws_iam"
x-amazon-apigateway-integration:
type: "aws_proxy"
httpMethod: "POST"
passthroughBehavior: "when_no_match"
uri:
Fn::Sub: "arn:aws:apigateway:us-east-1:lambda:path/2015-03-31/functions/arn:aws:lambda:us-east-1:${accountId}:function:testLambdaFunction/invocations"
credentials:
Fn::Sub: "arn:aws:iam::${accountId}:role/${myRole}"
responses:
default:
statusCode: 200



I am getting permission denied error with message as
myrole is not authorized to perform cloudformation:CreateChangeSet on resource: arn:aws:cloudformation:us-east-1:aws:transform/include



Do I need to add special permissions for transform/include. aws documentation says it doesn't need special permissions?










share|improve this question














I am trying to integrate swagger with api gateway and lambda using swagger extensions. Swagger file is uploaded in a S3 bucket, I am using Body with transform and include as below



Using BodyS3Location in AWS::ApiGateway::RestApi properties returns error Unable to parse API definition because of a malformed integration for the same integration mentioned above I referred Swagger file with AWS Extensions stored in S3 Bucket for API Creation with Cloudformation.



and modified the template as below for AWS::ApiGateway::RestApi properties

Body:
Fn::Transform:
Name: AWS::Include
Parameters:
Location:
Fn::Sub: "s3://${BucketName}/apiSwaggerSpec.yaml"



For the stack above I have all the permission on cloudformation actions



Below code I have added as swagger extension.

x-amazon-apigateway-auth:
type: "aws_iam"
x-amazon-apigateway-integration:
type: "aws_proxy"
httpMethod: "POST"
passthroughBehavior: "when_no_match"
uri:
Fn::Sub: "arn:aws:apigateway:us-east-1:lambda:path/2015-03-31/functions/arn:aws:lambda:us-east-1:${accountId}:function:testLambdaFunction/invocations"
credentials:
Fn::Sub: "arn:aws:iam::${accountId}:role/${myRole}"
responses:
default:
statusCode: 200



I am getting permission denied error with message as
myrole is not authorized to perform cloudformation:CreateChangeSet on resource: arn:aws:cloudformation:us-east-1:aws:transform/include



Do I need to add special permissions for transform/include. aws documentation says it doesn't need special permissions?







amazon-web-services swagger amazon-cloudformation aws-api-gateway openapi






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Jan 1 at 6:54









SteveSteve

186




186













  • Is your CloudFormation Role able to access the Swagger-File in the Bucket, i.e. does it have the permissions to do so?

    – Maurice
    Jan 1 at 23:43













  • yes, bucket is public and for "myRole" I have "cloudformation:*" actions allowed for the stacks with prefix "apiGlobal", Here my stack name is apiGlobal

    – Steve
    Jan 3 at 6:05





















  • Is your CloudFormation Role able to access the Swagger-File in the Bucket, i.e. does it have the permissions to do so?

    – Maurice
    Jan 1 at 23:43













  • yes, bucket is public and for "myRole" I have "cloudformation:*" actions allowed for the stacks with prefix "apiGlobal", Here my stack name is apiGlobal

    – Steve
    Jan 3 at 6:05



















Is your CloudFormation Role able to access the Swagger-File in the Bucket, i.e. does it have the permissions to do so?

– Maurice
Jan 1 at 23:43







Is your CloudFormation Role able to access the Swagger-File in the Bucket, i.e. does it have the permissions to do so?

– Maurice
Jan 1 at 23:43















yes, bucket is public and for "myRole" I have "cloudformation:*" actions allowed for the stacks with prefix "apiGlobal", Here my stack name is apiGlobal

– Steve
Jan 3 at 6:05







yes, bucket is public and for "myRole" I have "cloudformation:*" actions allowed for the stacks with prefix "apiGlobal", Here my stack name is apiGlobal

– Steve
Jan 3 at 6:05














0






active

oldest

votes











Your Answer






StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53993584%2fpermission-issue-on-resource-arnawscloudformationus-east-1awstransform%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























0






active

oldest

votes








0






active

oldest

votes









active

oldest

votes






active

oldest

votes
















draft saved

draft discarded




















































Thanks for contributing an answer to Stack Overflow!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53993584%2fpermission-issue-on-resource-arnawscloudformationus-east-1awstransform%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

Monofisismo

Angular Downloading a file using contenturl with Basic Authentication

Olmecas