The error below occurs when the Infrastructure as a Service (IaaS) has policies (AWS SCP) in place that prevent resource creation without the required resource tags.
This particular issue was encountered during a Heavy Stemcell Upload on AWS, where the BOSH Director VM was attempting to create and store a stemcell but failed because the AWS tags were not assigned by the Bosh Director during resource creation.

The "heavy stemcell" refers to the actual stemcell that is stored as your own managed AWS AMI.

• Heavy Stemcell: This stemcell is stored as your own managed AWS AMI. When uploading a heavy stemcell, BOSH attempts to store it within your AWS account.
• Light Stemcell: The light-bosh-stemcell references a stemcell ID (AWS AMI ID) in the public cloud, which is uploaded by Broadcom to their public stemcell repository.

Unknown CPI error 'Unknown' with message 'You are not authorized to perform this operation. User: arn:aws:iam::ID123456:user/my-aws-user is not authorized to perform: ec2:CreateSnapshot on resource: arn:aws:ec2:us-east-1::snapshot/* with an explicit deny in a service control policy. Encoded authorization failure message:'


To avoid this error and successfully proceed with the stemcell upload, you can use the light stemcell instead of the heavy stemcell. This will reference Broadcom’s existing public stemcell without requiring the creation of your own AWS AMI.

In future releases, BOSH will have a feature that will allow administrators to specify the required TAGs during the resource creation.