I am looking at an IAM role in the console that I believe has been defined in a CloudFormation template. How do I identify the template that defined the IAM role?
Some resources support extra tags if you use CFN to create them (S3, Security Group ...), you can see aws:cloudformation:stack-id in Tags. Currently, IAM roles and policies don't have that feature. Searching by Physical ID in stacks is the only way I know.
Related
I have create some resoruces and iam roles by terraform, and add tags to them.
I'd like to find all the resource with specifiec tag, but the resoult didn't include the iam role, even I select "All supported resource types". And I find this page https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html, it didn't mention how to find iam role.
is there any method to finnd out the iam role.
PS:my gole is export all the resources created by terraform, as they are a lot of resources, so I don't want to filter the resouce by tags as I have add tags to every resouces.
According to https://docs.aws.amazon.com/resourcegroupstagging/latest/APIReference/supported-services.html:
at this time, you can tag only the following IAM resources using the Resource Groups Tagging API:
instance-profile
mfa
oidc-provider
policy
saml-provider
server-certificate
I.e. Resource Groups Tagging API has no support for the roles atm. You need to get all roles aws iam list-roles and then get tags on role aws iam list-role-tags to filter roles by tags.
I want to create an access key in IAM-User, but I don't have permission to do that, so I want to use cloudformation to create an IAM user/role which I have permission, can anyone shows me a template for that? I couldn't find a correct one, Thanks
I don't have permission to do that
If you don't have permissions to create IAM users/roles you can't create them with CloudFormation either as it uses your permissions, which you lack, to create resources.
The only way would be if you were given a role which can be assumed by CloudFormation to create IAM entities, instead of using your permissions. But this is unlikely. You can ask your AWS admins if they can create/give you such a role for CloudFormation.
I'm new to AWS and I have a task to add tags to different resources.
I'm getting this error on the CloudFormation
Did not have IAM permissions to process tags on AWS::CodePipeline::Pipeline resource.
Is anyone familiar with this? I just added Tags in Properties.
Thanks in advance!
Your Cloudformation is probably correct, but the IAM User or Role doesn't have the IAM permissions for codepipeline:TagResource
Checkout the available IAM actions for Codepipeline and ensure your IAM user/role has these permissions
The error says it all. Check the IAM permissions of the cloudformation role that they can assign tags to the codepipeline resource. If you are using specific permissions you will need to enable TagResource, otherwise if the role has permissions:
"codepipeline":"*"
Ensure that they are able to apply them to the resource in question.
I made a typo while creating an IAM role to allow a lambda function to access the cloudwatch logs and to create EC2 volumes snapshots. Is there any way to rename the role, whether by using the console or the AWS CLI ?
You cannot edit IAM roles after the role has been created. This is mentioned in several places, including when the role is created through the IAM console.
And in several places in the docs.
For Role name, type a role name to help identify the purpose of this role. Role names must be unique within your AWS account. After you enter the name, click Next Step.
Role names have character limitations. The number of roles in an AWS account and the policy size for policies attached to roles are also limited. For more information, see Limitations on IAM Entities and Objects. Note that you cannot edit the name of the role after it is created.
It is not possible to edit the name via the console or AWS CLI.
Is it possible to set access permission to cloud formation template using IAM policies . If yes how to set the access policies ?
If you go to IAM and search for "cloudformation" in the Policies section you will see a read-only policy called, "AWSCloudFormationReadOnlyAccess". You can of course make you own custom policies but this is where you can restrict the use of CloudFormation.
For the actual templates you can use policies or a role to an S3 bucket that contains the policy template.
Using a combination of the two methods above you can get very granular on how CF and templates are used.