When setting up Amazon Advertising Marketing Stream, you may encounter CloudFormation Stack errors at AWS.
AWS CloudFormation Stacks reflect orchestrates the setup/configuration of number of AWS services like IAM policies, S3 buckets, Firehose, and many others. An issue in any one of those service configuration steps can cause an error.
What is the correct AWS region to use?
Amazon Marketing Stream supports only three AWS regions: us-east-1 (NA), eu-west-1 (EU), and us-west-2 (FE).
What does a CloudFormation ROLLBACK_IN_PROGRESS look like?
Typically, when an error occurs AWS will report a Stack error with ROLLBACK_IN_PROGRESS:
Openbridge will also report we detected a CloudFormation Stack error at AWS like this:
{"errors": [{"message": "Stack ams-production-123456789012345-adgroups failed to create with status ROLLBACK_IN_PROGRESS"}]}
A CloudFormation Stack remains in the account with ROLLBACK_IN_PROGRESS. AWS will not automatically clean these up.
I got a "An error occurred (AccessDenied) when calling the CreateRole operation" in CloudFormation
When you first set up Openbridge on your AWS account for Amazon Marketing Stream, you ran a CloudFormation (CF) template that created a single IAM role (`ams-firehose-subscriber-role`). That same role is reused for every Openbridge AMS subscription you add — each new subscription appends permissions to its policy.
However, AWS limits would prevent scaling AMS pipelines which manifest as an error like this:
{"errors":[{"message":"An error occurred (AccessDenied) when calling the CreateRole operation: User: arn:aws:sts::XXXXXXXXXXX:assumed-role/openbridge-customer-cloudformation/ob-cf-stack-gen is not authorized to perform: iam:CreateRole on resource: arn:aws:iam::XXXXXXXXXX:role/ams-firehose-subscriber-role-254455433333 because no identity-based policy allows the iam:CreateRole action"}]}Additional permissions are needed to scale out multiple AMS subscriptions on an AWS account. This doc will step you through how to update AWS to support larger numbers of AMS subscriptions.
The Fix
You do not need to delete anything or recreate the role. The update preserves your existing setup so older subscriptions keep working.
We've updated the CloudFormation template to fix this (and to add one new IAM permission our service now requires). You need to apply the updated template to your existing stack — one time — and you'll be able to add subscriptions again.
Steps:
Get the latest template CloudFormation template, it is the same link you originally used, except it has been updated. Get the template here: CloudFormation template.
Open your existing stack in CloudFormation:
Sign in to the AWS Console for the account where Openbridge is installed.
Go to
CloudFormation→Stacks.Find and open the stack you originally created for Openbridge. It will have a name like
ams-cf-prod-<date>(for example,ams-cf-prod-20260430).
Start a change set:
In the top-right of the stack page, click
Update stack→Create a change set.
Fill in the change set screen with these exact settings:
Change set type: Standard change set
Prepare template: Replace existing template
Template source: Upload a template file with CloudFormation template
Upload a template file: Choose the template from 3.
Click Next.
Step through the remaining wizard pages
Specify change set details: Leave the defaults and click Next.
Configure change set options: Leave the defaults and click Next.
Review change set: Confirm the changes shown, acknowledge the IAM capabilities checkbox if prompted, and click
Create change set.
Execute the change set:
Wait a few seconds for the change set status to become
CREATE_COMPLETE, then clickExecute change setand confirm.The stack status will move to
UPDATE_IN_PROGRESSand then toUPDATE_COMPLETEwhen finished. This usually takes under a minute.Once the stack shows
UPDATE_COMPLETE, return to Openbridge and retry the subscription that failed. It should now attach successfully.
Update completed!
Notes
This update only needs to be done **once per AWS account**. After it's applied, future subscriptions will use the corrected permissions automatically.
Your existing subscriptions will continue to work uninterrupted during and after the update.
If you run into any issues during the update, contact support with the stack name and a screenshot of the error and we'll help you through it.
If a Stack Errors with ROLLBACK_IN_PROGRESS, then what?
If the Stacks are left in a ROLLBACK_IN_PROGRESS state, it will block the setup of the Marketing Stream service at Amazon Advertising.
While you can delete each Stack ROLLBACK_IN_PROGRESS manually, it is much quicker to use the Automatic ROLLBACK_IN_PROGRESS Cleanup process below
Automating ROLLBACK_IN_PROGRESS Stack Cleanup
In your AWS account, select the AWS CloudShell tool. You can find it in the main nav in AWS:
After selecting the CloudShell, this will open a CloudShell window like this:
Next, copy this cleanup script below and paste it into the CloudShell window:
#!/bin/bash
# ==============================================================================
# This script automatically finds and deletes all CloudFormation
# stacks in the current region with the status 'ROLLBACK_COMPLETE'.
# ==============================================================================
echo "Starting unattended cleanup of ROLLBACK_COMPLETE stacks..."
# Get a list of stack names with the ROLLBACK_COMPLETE status.
# The --query parameter filters the JSON output to get only the stack names.
# The --output text parameter returns the names as plain text, separated by tabs.
stacks_to_delete=$(aws cloudformation list-stacks --stack-status-filter ROLLBACK_COMPLETE --query "StackSummaries[].StackName" --output text)
# Check if any stacks were found. If not, exit gracefully.
if [ -z "$stacks_to_delete" ]; then
echo "No stacks found in ROLLBACK_COMPLETE state. Nothing to do."
exit 0
fi
# Log the stacks that will be deleted.
echo "The following stacks have been identified for deletion:"
# Use 'tr' to replace the tab separator with newlines for clean logging.
echo "$stacks_to_delete" | tr '\t' '\n'
echo "---"
# Loop through the list of stacks and delete each one without prompting.
echo "Proceeding with deletion..."
for stack_name in $stacks_to_delete; do
echo "Issuing delete command for stack: $stack_name"
aws cloudformation delete-stack --stack-name "$stack_name"
done
echo ""
echo "Unattended deletion process has been initiated for all found stacks."
echo "You can monitor their progress in the CloudFormation console."
After pasting the script in, the CloudShell will run the script and you should start to see it cleaning up these ROLLBACK_IN_PROGRESS Stacks from your account.
Important: Do not close the CloudShell window until the process completes
The process will look like this in CloudShell:
~ $
~ $ # Log the stacks that will be deleted.
~ $ echo "The following stacks have been identified for deletion:"
The following stacks have been identified for deletion:
~ $ # Use 'tr' to replace the tab separator with newlines for clean logging.
~ $ echo "$stacks_to_delete" | tr '\t' '\n'
ams-production-123456789012345-ads
ams-production-123456789012345-campaigns
ams-production-123456789012345-sb-conversion
ams-production-123456789012345-sd-traffic
ams-production-123456789012345-sb-traffic
ams-production-123456789012345-sp-conversion
ams-production-123456789012345-campaign-recommendations
ams-production-123456789012345-sp-traffic
ams-production-123456789012345-targets
ams-production-123456789012345-sp-budget-recommendations
ams-production-123456789012345-sd-conversion
ams-production-123456789012345-sb-rich-media
ams-production-123456789012345-sb-clickstream
ams-production-123456789012345-budget-usage
ams-production-123456789012345-adgroups
~ $ echo "---"
---
> aws cloudformation delete-stack --stack-name "$stack_name"
> done
Issuing delete command for stack: ams-production-123456789012345-ads
Issuing delete command for stack: ams-production-123456789012345-campaigns
Issuing delete command for stack: ams-production-2472995305201748-sb-conversion
Issuing delete command for stack: ams-production-123456789012345-sd-traffic
Issuing delete command for stack: ams-production-123456789012345-sb-traffic
Issuing delete command for stack: ams-production-123456789012345-sp-conversion
Issuing delete command for stack: ams-production-123456789012345-campaign-recommendations
Issuing delete command for stack: ams-production-123456789012345-sp-traffic
Issuing delete command for stack: ams-production-123456789012345-targets
Issuing delete command for stack: ams-production-123456789012345-sp-budget-recommendations
Issuing delete command for stack: ams-production-123456789012345-sd-conversion
Issuing delete command for stack: ams-production-123456789012345-sb-rich-media
Issuing delete command for stack: ams-production-123456789012345-sb-clickstream
Issuing delete command for stack: ams-production-123456789012345-budget-usage
Issuing delete command for stack: ams-production-123456789012345-adgroups
~ $
After this CloudShell process is complete, the ROLLBACK_IN_PROGRESS Stacks will be removed from your account.
In your CloudFormation Stacks view, you can hit the Refresh button to see the removal progress. The browser will slowly start to remove the ROLLBACK_IN_PROGRESS
Once everything is complete, you can now attempt to re-run the process again without running into conflicts with Stacks stuck in a ROLLBACK_IN_PROGRESS state.