I'm new to AWS and I have a task to add tags to different resources.
I'm getting this error on the CloudFormation
Did not have IAM permissions to process tags on AWS::CodePipeline::Pipeline resource.
Is anyone familiar with this? I just added Tags in Properties.
Thanks in advance!
Your Cloudformation is probably correct, but the IAM User or Role doesn't have the IAM permissions for codepipeline:TagResource
Checkout the available IAM actions for Codepipeline and ensure your IAM user/role has these permissions
The error says it all. Check the IAM permissions of the cloudformation role that they can assign tags to the codepipeline resource. If you are using specific permissions you will need to enable TagResource, otherwise if the role has permissions:
"codepipeline":"*"
Ensure that they are able to apply them to the resource in question.
Related
I am looking at an IAM role in the console that I believe has been defined in a CloudFormation template. How do I identify the template that defined the IAM role?
Some resources support extra tags if you use CFN to create them (S3, Security Group ...), you can see aws:cloudformation:stack-id in Tags. Currently, IAM roles and policies don't have that feature. Searching by Physical ID in stacks is the only way I know.
I have create some resoruces and iam roles by terraform, and add tags to them.
I'd like to find all the resource with specifiec tag, but the resoult didn't include the iam role, even I select "All supported resource types". And I find this page https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html, it didn't mention how to find iam role.
is there any method to finnd out the iam role.
PS:my gole is export all the resources created by terraform, as they are a lot of resources, so I don't want to filter the resouce by tags as I have add tags to every resouces.
According to https://docs.aws.amazon.com/resourcegroupstagging/latest/APIReference/supported-services.html:
at this time, you can tag only the following IAM resources using the Resource Groups Tagging API:
instance-profile
mfa
oidc-provider
policy
saml-provider
server-certificate
I.e. Resource Groups Tagging API has no support for the roles atm. You need to get all roles aws iam list-roles and then get tags on role aws iam list-role-tags to filter roles by tags.
I want to create an access key in IAM-User, but I don't have permission to do that, so I want to use cloudformation to create an IAM user/role which I have permission, can anyone shows me a template for that? I couldn't find a correct one, Thanks
I don't have permission to do that
If you don't have permissions to create IAM users/roles you can't create them with CloudFormation either as it uses your permissions, which you lack, to create resources.
The only way would be if you were given a role which can be assumed by CloudFormation to create IAM entities, instead of using your permissions. But this is unlikely. You can ask your AWS admins if they can create/give you such a role for CloudFormation.
I need to provide IAM role creation permission to a user but with a condition that if he does it only from some AWS service.
For example, if a user running cloudformation stack and attempting to create an IAM role, he should be allowed. if he manually creating role it should be denied. or if a person creating a codepipeline he should have permission to create the role.
The concept you are looking for sounds like service-linked roles.
https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html
https://aws.amazon.com/blogs/security/introducing-an-easier-way-to-delegate-permissions-to-aws-services-service-linked-roles/
However, I don't think it is supported for CloudFormation or CodePipeline
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html
is there a way that i could update an existing roles iam (inline) policy.
Process followed for now:
1) I am able to create an role
2) I am able to attach a managed policy
3) I am able to attach an inline policy
I accept 2 parameters in the script one is an externalid and another is the role name. If the enduser or customer specifies an input for an existing role then i would have update the existing role's IAM Policy and i have to add new aws services to the existing policy
Thanks
Nataraj
This is straightforward with update stack.
ASR Thank you very much for your input