Add missing cloudformation:DescribeStacks policy

lukeseawalker · lukeseawalker · commit 666c14673396 · 2018-10-29T11:29:23.000+01:00
The policy requirement was added here 8166743 This fix commit 486a913 Signed-off-by: Luca Carrogu <carrogu@amazon.com>
diff --git a/docs/source/iam.rst b/docs/source/iam.rst
@@ -4,7 +4,7 @@ IAM in CfnCluster
 ========================
 
 .. warning::
-    Between CfnCluster 1.5.3 and 1.6.0 we added a change to the `CfnClusterInstancePolicy` that adds “s3:GetObject” permissions on objects in <REGION>-cfncluster bucket and cloudformation:DescribeStacks" permissions on <REGION>:<ACCOUNT_NAME>:<STACK_NAME>
+    Between CfnCluster 1.5.4 and 1.6.0 we added a change to the `CfnClusterInstancePolicy` that adds “s3:GetObject” permissions on objects in <REGION>-cfncluster bucket and cloudformation:DescribeStacks" permissions on <REGION>:<ACCOUNT_ID>:stack/<STACK_NAME>
     If you're using a custom policy (e.g. you specify "ec2_iam_role" in your config) be sure it includes this new permission.
 
     Between CfnCluster 1.4.2 and 1.5.0 we added a change to the `CfnClusterInstancePolicy` that adds "ec2:DescribeVolumes" permissions. If you're using a custom policy (e.g. you specify "ec2_iam_role" in your config) be sure it includes this new permission.
@@ -107,6 +107,16 @@ CfnClusterInstancePolicy
               "Sid": "S3GetObj",
               "Effect": "Allow"
           },
+          {
+              "Resource": [
+                  "arn:aws:cloudformation:<REGION>:<AWS ACCOUNT ID>:stack/cfncluster-*"
+              ],
+              "Action": [
+                  "cloudformation:DescribeStacks"
+              ],
+              "Sid": "CloudFormationDescribe",
+              "Effect": "Allow"
+          },
           {
               "Resource": [
                   "*"
