CloudBoosterDocs
Troubleshooting

AWS connection errors

Errors connecting an AWS account: CloudFormation, role assumption, regions, expired credentials.

AWS connection errors

Error: stack CREATE_FAILED

The CloudFormation stack that grants CloudBooster access failed to create. The most common causes:

Reason in stack eventsFix
User: ... is not authorized to perform: iam:CreateRoleYou don't have IAM admin in the target account. Ask someone who does.
Stack with name CloudBooster-Connect already existsA previous attempt left a stack behind. Delete it and retry.
... cannot be created until the resource is stableTransient; retry the stack in 60 seconds.

Get the full event log:

aws cloudformation describe-stack-events \
  --stack-name CloudBooster-Connect \
  --query 'StackEvents[?ResourceStatus==`CREATE_FAILED`]'

AccessDenied: User is not authorized to perform: sts:AssumeRole

CloudBooster cannot assume the cross-account role.

Check the trust policy:

aws iam get-role --role-name CloudBoosterPlatformRole \
  --query 'Role.AssumeRolePolicyDocument'

The trust policy must allow the CloudBooster control-plane account. If it doesn't, re-run the Connect AWS account wizard in the portal — the latest CloudFormation template carries the current trust policy.

Check the external ID:

CloudBooster uses an external ID to defend against the confused-deputy problem. If you copied a role from another tenant or hand-edited the template, the external ID may not match. Open the cloud profile in the portal (Organisation → Cloud Profiles → your profile) and compare the external ID shown there with the one in your role's trust policy.

Error: account is in region eu-west-1 but operation targeted us-east-1

Region mismatch. CloudBooster operates per region.

Fix: specify the region explicitly:

cbx audit aws --region eu-west-1

--region is repeatable, or pass --region all to sweep every region.

ExpiredToken: The security token included in the request is expired

Your local AWS credentials have expired. CloudBooster uses your local AWS session for the initial Connect AWS account wizard in the portal (when you deploy the CloudFormation stack into your AWS account).

aws sts get-caller-identity
# An error occurred (ExpiredToken)

Refresh:

aws sso login --profile <your-profile>
# or, for static creds: aws configure

Once the role is connected, CloudBooster doesn't need your local creds again — it uses the cross-account role directly.

ThrottlingException: Rate exceeded

AWS is rate-limiting requests. Usually transient.

cbx <command> --retry-on-throttle

If persistent, cbx audit aws may be issuing too many describe-* calls in parallel against the same account. Lower the AWS-side concurrency:

cbx audit aws --region eu-west-1 --aws-concurrency 2

Connection works, but cbx audit aws says "no permissions for ec2:DescribeVpcs"

Your role's permission boundary is too tight. The CloudBooster CloudFormation template grants the documented permissions in Cross-Account Role Security Model; if you've narrowed them, widen them back to the documented set.

aws iam list-attached-role-policies --role-name CloudBoosterPlatformRole

See also

Previous

Install errors

Next

`cbx audit` failures

On this page