I'm trying to select an IAM Role from the list to attach it to EC2 instances while deploying servers. However, I'm not seeing an option to do this.
"IAMRole": {
"Description": "EC2 attached IAM role, must be an existing IAM role which will be attached to EC2 instance.",
"Type": "AWS::IAM::Role::RoleName",
"ConstraintDescription": "Must be the name of an existing IAM Role",
},
I'm only having an option to use Type: String and pass default string value.
Correct me if this is wrong or something I need to know.
Based on Parameters - AWS CloudFormation, there is no parameter type for nominating an IAM Role.
There are pre-defined types for VPC, Subnets, Security Groups, etc but none for IAM elements.
Therefore, it is not possible to present an automatically-populated drop-down list of IAM Roles when selecting parameters during the launch of an AWS CloudFormation stack.
Related
I want to add a new role to an existing redshift cluster using CloudFormation.
How Can I add it?
Here are the AWS docs for a manual change
To associate an IAM role with a cluster
Sign in to the AWS Management Console and open the Amazon Redshift console at https://console.aws.amazon.com/redshift/
On the navigation menu, choose Clusters, then choose the name of the cluster that you want to update.
For Actions, choose Manage IAM roles. The IAM roles page appears.
Either Choose Enter ARN and then enter an ARN or an IAM role, or choose an IAM role from the list. Then choose Add IAM role to add it to the list of Attached IAM roles.
Choose Done to associate the IAM role with the cluster. The cluster is modified to complete the change.
Via Cloudformation, you would use the IamRoles attribute, as outlined here.
I want to create a number of EC2 instances via an AutoScalingGroup using CDK.
AutoScalingGroup ec2Asg = AutoScalingGroup.Builder.create(this, "Ec2Asg")
.role(myEc2InstanceProfileRole)
... further config here ...
.build();
If possible, I'd like to restrict each instance in the ASG to only be able to access certain resources where the instance's ID forms part of the resource. For example:
arn:aws:ssm:REGION:ACCOUNT:parameter/<INSTANCE ID>/*
How is best to achieve this?
Unfortunately this would not be possible for what you're trying to achieve. The IAM permissions for an EC2 instance are not assigned to the instance itself, they are instead attached to an IAM entity (such as the instances IAM role).
SSM parameters do support a hierarchy so you can create a parameter such as arn:aws:ssm:REGION:ACCOUNT:parameter/InstanceRole/i-1234567/parameter and then limit the IAM role to only access resources which match the pattern arn:aws:ssm:REGION:ACCOUNT:parameter/InstanceRole/.
By doing this you can at least limit the scope for your instances in the same ASG. Also be aware that the parameters themselves would still be accessible for any IAM resources with the permissions granted to them.
I configuring an Autoscaling group in CloudFormation and I'm trying to start all the ec2 nodes with an IAM role attached to them (one that can allow access to s3 for example).
I know that in CloudFormation there is the ServiceLinkedRoleARN key. According to the docs this key is using by default the AutoScalingServiceRolePolicy role and it doesn't have S3 access. I can't create a Custom role that contains both S3 role and the AutoScalingServiceRole role because I'm getting an error:
Cannot attach a Service Role Policy to a Customer Role.
So should I attach to the scaling group only a custom role of s3 ? What is the best practice way to do it ?
You specify the instance role for instances in your ASG in either LaunchConfiguration (LC) or LaunchTemplate (LT):
LC: IamInstanceProfile:
Provides the name or the Amazon Resource Name (ARN) of the instance profile associated with the IAM role for the instance. The instance profile contains the IAM role.
LT: IamInstanceProfile
The IAM instance profile.
I found out that in AWS::AutoScaling::LaunchConfiguration there is a property called IamInstanceProfile that can be used exactly for that.
Please notice, in the role's page, there are 2 arns : profile-role-arn and role-arn. I first didn't notice that and used the role-arn. The right arn to use is the profile-arn.
Can someone explain why Roles were designed by AWS to have a Principal like entire service (EC2, Lambda etc.) i.e. without the ability to associate/restrict to be assumable by a specific EC2 Instance type or a specific Lambda function - Am I missing a key AWS design concept here?
If I want to restrict a particular role to be assumable only by t2.micro EC2 instances (& no other EC2 instance family type), is this achievable in AWS? If this can be done, which permissions policy would this restriction be written?
Tried adding Condition section below to the 'Trusted Identity' policy of role but this does not work i.e. other instance types example t2.large is also able to perform actions say create a bucket (using CLI).
"Condition": {
"StringEquals": {
"ec2:InstanceType": [
"t2.micro"
]} }
No, it is not possible to put limitations in the Trust Policy.
If you only want certain IAM Roles to be used on particular instances, you would need to enforce that through the use of iam:PassRole. This is the permission that determines whether somebody has permission to pass a particular role to a service (such as an EC2 instance). Put simply: You can limit who is allowed to select an IAM Role and then trust that they know when to use it correctly.
I made a typo while creating an IAM role to allow a lambda function to access the cloudwatch logs and to create EC2 volumes snapshots. Is there any way to rename the role, whether by using the console or the AWS CLI ?
You cannot edit IAM roles after the role has been created. This is mentioned in several places, including when the role is created through the IAM console.
And in several places in the docs.
For Role name, type a role name to help identify the purpose of this role. Role names must be unique within your AWS account. After you enter the name, click Next Step.
Role names have character limitations. The number of roles in an AWS account and the policy size for policies attached to roles are also limited. For more information, see Limitations on IAM Entities and Objects. Note that you cannot edit the name of the role after it is created.
It is not possible to edit the name via the console or AWS CLI.