remote template URL not accessible when used in StackSet

[halberom]

Describe the bug

Attempting to use any of the following URLs in a StackSet for the remote template results in an error

• https://s3.amazonaws.com/solutions-reference/instance-scheduler-on-aws/latest/instance-scheduler-on-aws-remote.template
• https://s3.amazonaws.com/solutions-reference/instance-scheduler-on-aws/v1.5.5/instance-scheduler-on-aws-remote.template

Object referenced by https://s3.amazonaws.com/solutions-reference/instance-scheduler-on-aws/latest/instance-scheduler-on-aws-remote.template is not accessible

If I download the template and upload it as a StackSet template file, it works. Similarly if I deploy it via a CloudFormation Stack to a local account it also works. It looks like it might be a permission issue where CloudFormation StackSets aren't allowed to access it.

To Reproduce

1. Login to org master
2. Navigate to CloudFormation StackSets
3. Create a new SERVICE_MANAGED StackSet and provide one of the above URLs for the template
4. Provide parameters
5. Deploy to an OU+INTERSECTION+Account ID using the ap-southeast-2 region

It will fail with

Object referenced by https://s3.amazonaws.com/solutions-reference/instance-scheduler-on-aws/latest/instance-scheduler-on-aws-remote.template is not accessible

Expected behavior

No error

Please complete the following information about the solution:

• [x] Version: latest, 1.5.5, 1.5.4

To get the version of the solution, you can look at the description of the created CloudFormation stack. For example, "(SO0030) instance-scheduler-on-aws v1.5.1". You can also find the version from releases

• [x] Region: ap-southeast-2
• [x] Was the solution modified from the version published on this repository? no
• [x] If the answer to the previous question was yes, are the changes available on GitHub? no
• [x] Have you checked your service quotas for the sevices this solution uses? not necessary, works if I deploy using a local copy of template.
• [x] Were there any errors in the CloudWatch Logs? no, the StackSet fails to be created. Troubleshooting

Screenshots If applicable, add screenshots to help explain your problem (please DO NOT include sensitive information).

Additional context Add any other context about the problem here.

[aws-khargita]

Thank you for reaching out. I followed your steps but was unable to reproduce the issue. I am able to successfully deploy the stack set to ap-southeast-2 using the template in the public solutions-reference bucket.

This sounds like the target account may have insufficient permissions to deploy template from the public bucket. Could you please verify if you can manually deploy the spoke stack from the public template in the failing account?

You may also want to check if any service control policies for the org are causing you the access issues.

[halberom]

Thanks @aws-khargita - I think I understand what's happening. The https://s3 gets converted to a GetObject from e.g. arn:aws:s3::solutions-ap-southeast-2/instance-scheduler-on-aws/... Which I didn't have.