I want to attach an AWS managed Role to my EC2 instance in CloudFormation. Here for I need to attach the managed role to an instance profile and attach the instance profile to the EC2.
How can I attach the managed role to the instance profile?
I tried:
ASGIAMInstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
InstanceProfileName: asg-instance-profile
Roles:
- AWSServiceRoleForAutoScaling
But I got:
Cannot perform the operation on the protected role 'AWSServiceRoleForAutoScaling' - this role is only modifiable by AWS (Service:
I know I can recreate a comparable role and attach it to an instance profile but that seems a bit overkill.
The only "managed roles" are service-linked roles. These are special roles that are directly attached to a service itself and cannot be attached to other entities.
You can, however, associate a Managed Policy with roles. These are the policies shown in the "Policies" section of the IAM management console.
Related
I created an IAM Role for EC2 called Role4EC2-FA and assigned the AmazonS3FullAccess policy to it. I was able to attach the same to the EC2 instance and access the S3 services from the EC2.
In the Trust Relationship I did change the Principal Service from ec2.amazonaws.com to s3.amazonaws.com, but still I was able to attach the same IAM Role to an EC2 instance, which should not be the case. But the good thing is that S3 service was not accessible from the EC2 this time.
Is this the expected behavior?
It is not the trust policy which decide if a role can be attached to an instance or not. It is an instance profile.
Trust policy says which service can assume this role. When you changed it to S3, EC2 was not allowed anymore to assume it, that is why it couldn't access S3.
But as you still have an instance profile, you still can attach it to instance.
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html
I am using metricbeat to monitor metrics from a few AWS accounts. I have read through the doc: https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-module-aws.html
it says to configure the credential as environment variables or in aws credential file. But I'd like to use cross account IAM policy to access different AWS account. That means metricbeat needs to assume a role when it tries to query metrics. How can I achieve this in metrcibeat? I can't find related doc in their document.
So you can specify the IAM Role like this
Metricbeat Configuration Params
metricbeat.modules:
- module: aws
period: 300s
metricsets:
- ec2
role_arn: arn:aws:iam::123456789012:role/test-mb
I would say there is nothing like Cross Account Policy.
Your role has permissions based on the policies you assign to it via IAM Policies.
When you wanna use Cross-Account IAM Roles, you still have to assign IAM Policies on the role you create in the destination account + an IAM Trust Policy as well so that you can assume the role from another account, In addition to that your source IAM Role must have permissions to assume the destination IAM Role
IAM Role Delegation
How to use trust policies with IAM roles
IAM Tutorial: Delegate access across AWS accounts using IAM roles
I configuring an Autoscaling group in CloudFormation and I'm trying to start all the ec2 nodes with an IAM role attached to them (one that can allow access to s3 for example).
I know that in CloudFormation there is the ServiceLinkedRoleARN key. According to the docs this key is using by default the AutoScalingServiceRolePolicy role and it doesn't have S3 access. I can't create a Custom role that contains both S3 role and the AutoScalingServiceRole role because I'm getting an error:
Cannot attach a Service Role Policy to a Customer Role.
So should I attach to the scaling group only a custom role of s3 ? What is the best practice way to do it ?
You specify the instance role for instances in your ASG in either LaunchConfiguration (LC) or LaunchTemplate (LT):
LC: IamInstanceProfile:
Provides the name or the Amazon Resource Name (ARN) of the instance profile associated with the IAM role for the instance. The instance profile contains the IAM role.
LT: IamInstanceProfile
The IAM instance profile.
I found out that in AWS::AutoScaling::LaunchConfiguration there is a property called IamInstanceProfile that can be used exactly for that.
Please notice, in the role's page, there are 2 arns : profile-role-arn and role-arn. I first didn't notice that and used the role-arn. The right arn to use is the profile-arn.
I see that there is only one role that can be assigned through aws console.
A role can have multiple policies.
Is there a possibility/necessity to assign more than one role to EC2?
No, it is not possible nor there is a necessity.
If your IAM Role needs to access multiple resources, you can do so by attaching multiples policies to a single IAM Role.
For more information, check Policies and Permissions
AWS does not support the ability to assign more than one instance role to an instance.
From the AWS user guide:
An instance profile can contain only one IAM role. This limit cannot be increased.
The instance can be assigned a role and that role can be assigned multiple policies. Or you can create a single policy that contains all permissions necessary for that instance.
See: Instance Roles for EC2
Can someone explain to me the difference between an AWS Policy and an AWS Managed Policy in the context of Cloud Formation?
More specifically, I'm trying to define an auto scaling template where:
Each instance in an auto scale configuration is assigned an IAM Instance Role that has a policy.
The same policy is applied to the user when they try and access these instances.
I'm trying to keep duplication to a minimum and it seems like I may be able to achieve it via a Policy linked to a role, and group of users. The role can then be associated with EC2 Instance via instance profile and users can be added to the groups which in turn are assigned the policy.
Why and under what circumstances would one use a ManagedPolicy?
Thank you for your assistance.
EDIT: It seems like Role requires a policy document irrespective. So even having a separate policy won't really help? Or am I missing something?
AWS::IAM::Role only requires a trust policy. The Policy/Managed Policy can be defined separately.
The difference between AWS::IAM::ManagedPolicy and AWS::IAM::Policy is that AWS::IAM::ManagedPolicy does not require you to assign a Group, Role or User when defining it. AWS::IAM::Policy does. In your use case, you're probably fine using AWS::IAM::Policy.
If I may add, testing Policy creation using CDK v2.12.0, groups, users or roles are not required. iam.ManagedPolicy creates a policy you can share, iam.Policy is created as an inline policy.
new iam.Policy(this, 'testPolicy2', {
statements: policyDocs,
//groups: [s3UserGroup],
policyName: 'testPolicy2'
})
new iam.ManagedPolicy(this, 'testPolicy3', {
statements: policyDocs,
//groups: [s3UserGroup],
managedPolicyName: 'testPolicy3'
})