I configuring an Autoscaling group in CloudFormation and I'm trying to start all the ec2 nodes with an IAM role attached to them (one that can allow access to s3 for example).
I know that in CloudFormation there is the ServiceLinkedRoleARN key. According to the docs this key is using by default the AutoScalingServiceRolePolicy role and it doesn't have S3 access. I can't create a Custom role that contains both S3 role and the AutoScalingServiceRole role because I'm getting an error:
Cannot attach a Service Role Policy to a Customer Role.
So should I attach to the scaling group only a custom role of s3 ? What is the best practice way to do it ?
You specify the instance role for instances in your ASG in either LaunchConfiguration (LC) or LaunchTemplate (LT):
LC: IamInstanceProfile:
Provides the name or the Amazon Resource Name (ARN) of the instance profile associated with the IAM role for the instance. The instance profile contains the IAM role.
LT: IamInstanceProfile
The IAM instance profile.
I found out that in AWS::AutoScaling::LaunchConfiguration there is a property called IamInstanceProfile that can be used exactly for that.
Please notice, in the role's page, there are 2 arns : profile-role-arn and role-arn. I first didn't notice that and used the role-arn. The right arn to use is the profile-arn.
Related
Does anyone know how to pass a service linked role (autoscaling role with a suffix) to an autoscaling group by using CDK/CloudFormation?
I have managed to grant the default autoscaling service role access to a CMK living in another account. However, I don't want all autoscaling groups having the default role to have access to the key.
I assume that the best solution is to bootstrap the service linked role and grant it CMK access, but how do I pass the role? (This is not the instance assumable role)
The service linked role for Autoscaling is specified using ServiceLinkedRoleARN in AWS::AutoScaling::AutoScalingGroup. It is not related to instance assumed role.
I'm trying to select an IAM Role from the list to attach it to EC2 instances while deploying servers. However, I'm not seeing an option to do this.
"IAMRole": {
"Description": "EC2 attached IAM role, must be an existing IAM role which will be attached to EC2 instance.",
"Type": "AWS::IAM::Role::RoleName",
"ConstraintDescription": "Must be the name of an existing IAM Role",
},
I'm only having an option to use Type: String and pass default string value.
Correct me if this is wrong or something I need to know.
Based on Parameters - AWS CloudFormation, there is no parameter type for nominating an IAM Role.
There are pre-defined types for VPC, Subnets, Security Groups, etc but none for IAM elements.
Therefore, it is not possible to present an automatically-populated drop-down list of IAM Roles when selecting parameters during the launch of an AWS CloudFormation stack.
I see that there is only one role that can be assigned through aws console.
A role can have multiple policies.
Is there a possibility/necessity to assign more than one role to EC2?
No, it is not possible nor there is a necessity.
If your IAM Role needs to access multiple resources, you can do so by attaching multiples policies to a single IAM Role.
For more information, check Policies and Permissions
AWS does not support the ability to assign more than one instance role to an instance.
From the AWS user guide:
An instance profile can contain only one IAM role. This limit cannot be increased.
The instance can be assigned a role and that role can be assigned multiple policies. Or you can create a single policy that contains all permissions necessary for that instance.
See: Instance Roles for EC2
I want to attach an AWS managed Role to my EC2 instance in CloudFormation. Here for I need to attach the managed role to an instance profile and attach the instance profile to the EC2.
How can I attach the managed role to the instance profile?
I tried:
ASGIAMInstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
InstanceProfileName: asg-instance-profile
Roles:
- AWSServiceRoleForAutoScaling
But I got:
Cannot perform the operation on the protected role 'AWSServiceRoleForAutoScaling' - this role is only modifiable by AWS (Service:
I know I can recreate a comparable role and attach it to an instance profile but that seems a bit overkill.
The only "managed roles" are service-linked roles. These are special roles that are directly attached to a service itself and cannot be attached to other entities.
You can, however, associate a Managed Policy with roles. These are the policies shown in the "Policies" section of the IAM management console.
I've been reading up on configuring cloudwatch log service, however the docs say that you must attatch a permission to the IAM role of your instance. If I already have an instance running that doesn't have an IAM role attached, what options do I have as far as configuring this service?
You can clone your current instance into a new EC2 instance that has an IAM instance profile (role) assigned.
Stop your EC2 instance.
Create an AMI image of your EC2 instance.
Launch a new EC2 instance from your AMI image, this time assigning an IAM role.
If the instance was not launched without an IAM role, then:
Create a policy (not an inline policy) as specified in the document
Add a test IAM user and attach the policy to the test_user
From the IAM dashboard, download or copy the test_user security credentials (key and secret)
On your instance, use aws configure and configure the credentials by using the key and secret
It may look complicated but it is not.