AWS::CloudFormation::StackSet - enable SERVICE_MANAGED permission model in delegated account

[mikebroberts]

AWS::CloudFormation::StackSet can successfully use PermissionModel: SERVICE_MANAGED in the management account of an AWS Organization, but it currently fails in a delegated account with failure You must be the master or delegated admin account of an organization before operating a SERVICE_MANAGED stack set .

Note that I tested deploying a stack set in the delegated account through the web console and was successful, so I suspect this might be something to do with CloudFormation needing to set callAs on the call to createStackSet (https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_CreateStackSet.html)

[nbmha1]

This one's very important to my org too! We have a feature request open for this bug - I believe the more of us who add our voices to the feature request, the higher priority it will become...

[adamcousins]

Just hit this issue myself. Want to use a delegated security account to deploy guardduty members across all accounts in my control tower, but alas I must create this stack set in the maanagement account.

Is this a bug or feature request? ;)

[tylerapplebaum]

Running into this same issue.

[anandsurada]

Hi folks, StackSets PM here. This is a miss on our part. We are aware of the missing support for creating and managing a Service Managed StackSet from a registered Delegated Admin account in your AWS Organization using the AWS::CloudFormation::StackSet resource. We are working to resolve it by implementing the --CallAs attribute within the resource. And, we expect to launch it by end of Q2.

[mikebroberts]

Thanks @anandsurada !

[rshayman]

Just tripped over this myself. Annoying as the error message makes it seems like it's supported when it's not.

[tomekklas]

Please get this resolved soon... it just stopped my project in its tracks.

[adamcousins]

Any updates on this please team? @anandsurada
About to start building a solution which this feature would heavily rely on .
I dont want to create stack sets in the management account if I could avoid it.

[jfoy]

There's now a CallAs attribute on the StackSet resource, which looks like it addresses this issue. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudformation-stackset.html#cfn-cloudformation-stackset-callas

[anandsurada]

Hi folks, Yes, we launched this yesterday! The CallAs attribute should now be available in the StackSet Resource. Thanks @jfoy for sharing the documentation link here.

[mikebroberts]

Confirmed - I just tried this and it worked first time. And still 6 weeks left in Q2 @anandsurada ! :)

Thanks!

[PCIS-Paul]

@anandsurada Do you know if this update has enabled CodePipeline to create service managed StackSets as mentioned in #796 or would implementation fall to a different team?

[cdsnaps]

@anandsurada Do you know if this update has enabled CodePipeline to create service managed StackSets as mentioned in #796 or would implementation fall to a different team?

@anandsurada I am also interested in this functionality working for CodePipeline as well.

[anandsurada]

Hi @PCIS-Paul, That would involve updating the StackSet action in Code Pipeline and would fall under a different team. Let me reach out to the Code Pipeline team and get their attention on #796 .