amazon-web-services - 创建 cloudformation 堆栈集时出错 : Access denied for operation 'CreateLink'

Question

在关注 creating a monitoring account 上的 AWS 博客文章时，我们遇到了错误:

ResourceStatusReason:Resource handler returned message: "Access denied for operation 'CreateLink'." (RequestToken: xxx, HandlerErrorCode: AccessDenied).

我们以 root 用户身份登录管理帐户，并使用服务管理权限选项 documented in the cloud formation user guide ，其中指出:

With service-managed permissions, you can deploy stack instances to accounts managed by AWS Organizations in specific Regions. With this model, you don't need to create the necessary IAM roles; StackSets creates the IAM roles on your behalf. You can also enable automatic deployments to accounts that are added to a target organization or organizational unit (OU) in the future. With automatic deployments enabled, StackSets automatically deletes stack instances from an account if it's removed from a target organization or OU.

由于我们使用 Root 登录，并且管理帐户权限应该自动管理，所以我不确定我们做错了什么。

Answer 1

错误可能出现在您在“链接您的源帐户”部分下载的 Cloudformation 模板中。检查以下行中的链接 ARN 是否正确:

    SinkIdentifier: "arn:aws:oam:us-east-1:123456789012:sink/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"

我第一次下载这个模板时，出现了这一行:

    SinkIdentifier: "arn:[Object object]:oam:us-east-1:123456789012:sink/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"

所以我在部署之前手动修复了它。