Unable to fetch paramters (Param Value) from parameter store for this account

amazon-web-services amazon-cloudformation ssm
Jiew Meng picture Jiew Meng · Aug 19, 2018 · Viewed 7.4k times · Source

I get the error: 

$ aws cloudformation deploy --template-file ./packaged-stack.yml --stack-name mystackname --capabilities CAPABILITY_NAMED_IAM`


An error occurred (ValidationError) when calling the CreateChangeSet operation: Unable to fetch parameters [XXX] from parameter store for this account.

What is wrong here?

The weird thing is XXX is the value from paramter store, so CloudFormation is actually able to get the value ... but it seems like its trying to read from the paramter whose name is the value it got out ... I think my usage is incorrect? 

AWSTemplateFormatVersion : '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: '...'

Parameters:
  BaseStack:
    Type: AWS::SSM::Parameter::Value<String>
    Default: /some/thing/baseStack

The value stored in /some/thing/baseStack is XXX in this example

Answer

Dinush picture Dinush · Oct 9, 2019

This usually happens when you pass the parameters from one template to another.

Template 1 has parameter reading from SSM store and passing it to another template

Parameters:
  SNSTopicArnParam:
    Description: Arn of the SNS topic
    Type: AWS::SSM::Parameter::Value<String>
    Default: /arn/topics/topic1
Resources:
  CallOtherStack:
    Type: AWS::CloudFormation::Stack
    Properties:
      TemplateURL: someurl/template2.yaml
      Parameters:
        SNSTopicArn: !Ref SNSTopicArnParam

And Template 2 has the following parameter and resources (will be erroring with the Unable to fetch parameters error.)

Parameters:
  SNSTopicArnFromCaller:
    Description: Arn of the SNS topic
    Type: AWS::SSM::Parameter::Value<String>
    Default: /arn/topics/topic1
Resources:
  NewSubscription:
    Type: AWS::SNS::Subscription
    Properties:
      Parameters:
        TopicArn: !Ref SNSTopicArnFromCaller
        Endpoint: someValue
        Protocol: SQS

This is because the template one would have the value of /arn/topics/topic1 (the arn of the topic) and pass the arn value to template2 while calling it. And template2 has the type of the value as another SSM parameter.

To resolve this, the template2 parameter type should be just the type of the actual parameter value. In this case, it should be String

so, template 2 should be updated as below to work properly

Parameters:
  SNSTopicArnFromCaller:
    Description: Arn of the SNS topic
    Type: String
Resources:
  NewSubscription:
    Type: AWS::SNS::Subscription
    Properties:
      Parameters:
        TopicArn: !Ref SNSTopicArnFromCaller
        Endpoint: someValue
        Protocol: SQS

Related questions

What is the difference between Elastic Beanstalk and CloudFormation for a .NET project?

I have developed a .NET MVC application and have started playing around with AWS and deploying it via the Visual Studio Toolkit. I have successfully deployed the application using the Elastic Beanstalk option in the toolkit. As I was going …

Read More
User is not authorized to perform: cloudformation:CreateStack

I'm trying out Serverless to create AWS Lambdas and while creating a project using the command serverless project create I'm getting the following error. AccessDenied: User: arn:aws:iam::XXXXXXXXX:user/XXXXXXXXX is not authorized to perform: cloudformation:CreateStack on …

Read More
How can I quickly and effectively debug CloudFormation templates?

CloudFormation is a powerful AWS offering that allows the programmatic creation of AWS resource stacks, such as the web tier of an application, a high performance computing cluster, or an entire application stack, with a single API call. It is …

Read More