I see that, in TaskDefinition properties, one can define 2 kind of roles: ExecutionRoleArn and TaskRole Arn
I tried to understand from documentation about both:
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-taskdefinition.html
But still I don’t understand the reasoning behind having two? Can someone explain why it is done so this way?
TaskRoleArn refers to the arn of that role which will be utilized to call other AWS services or access AWS resources such as permissions needed for writing data into DynamoDB table, read information from any S3 bucket, etc.
ExecutionRoleArn refers to the arn of the role which will take care of permissions required for publishing logs to CloudWatch as well as push and pull Docker images from Amazon ECR.
Related
What is the best way to access the ARN of the CloudWatch RUM monitor? I need to create an IAM policy in CDK to restrict permissions to just a single CloudWatch RUM monitor but the CfnAppMonitor construct has no accessible property for it
Nor is there any property for it in the CFN itself - so doing cfnAppMonitor.getAtt("Arn") doesn’t return any ARN
Sources: https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rum.CfnAppMonitor.html#cfnproperties
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rum-appmonitor-appmonitorconfiguration.html
I ended up just constructing the ARN myself.
arn:aws:rum:${process.env.CDK_DEFAULT_REGION}:${process.env.CDK_DEFAULT_ACCOUNT}:appmonitor/${props.rumId}
In the docs I referenced there's a callout for resource.arn: https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rum.CfnAppMonitor.html#getwbrattattributename
but I found the above approach works just as well. If someone else has ever had a need for getting the ARN in that manner and has an example deff send it my way!
I'm trying to use CloudFormation AddOn template in the following scenario:
Service 1
creates an SNS Topic and a Managed Policy that has all the necessary permissions to publish to it. The SNS Topic will collect "Activity" records and then fan them out to multiple subscribers.
A common code library abstracts away the usage of SNS - any applications that need to post activity messages do so without any knowledge that SNS is being used underneath the covers.
Service N needs to publish activity messages using the common code library and needs whatever permissions are necessary.
So service 1 writes the Managed Policy ARN out as an exported output to the AddOn stack like so:
Outputs:
activityPublishPolicy:
Description: "Activity Publish Policy ARN"
Value: !Ref activitySnsTopicPublishPolicy
Export:
Name: !Sub ${App}-${Env}-activity-publish-policy
Then in service N, I was hoping to import the ARN of the publishing policy and get it attached to the task role:
Outputs:
activityPublishAccessPolicy:
Description: "The IAM::ManagedPolicy to attach to the task role."
Value: !ImportValue
'Fn::Sub': '${App}-${Env}-activity-publish-policy'
The ARN is imported just fine and written out to the Cloud Formation stack of Service N; however, the Task Role does not get the Managed Policy attached to it.
I did a quick test to see if adding the policy directly to the AddOn stack would attach and that does indeed work.
Outputs:
activityPublishAccessPolicy:
Description: "The IAM::ManagedPolicy to attach to the task role."
Value: !Ref activityPolicy
This leads me to believe that Copilot only attaches ManagedPolicies to the Task Role that are created in its own AddOn Stack, but that's just a guess.
I'd prefer not to write a new policy in every service to do this, and I'd prefer not to open up the topic policy our whole VPC if possible.
Is there a better way of doing this?
Thanks!
This is because Copilot scans the Addons template to determine the type of the resource you're outputting. There are several "magic" outputs for addons. They are:
Security Groups
Managed Policies
Secrets
To detect these outputs, we scan the template looking for the logical ID of the referenced resource. This means that we don't currently have a way of deriving the resource type of the results of Fn::ImportValue calls, since they don't refer to a logical ID defined in that addons template!
I'm sorry this is causing you problems--it seems like you may need to add the managed policy to the addons stack of each service you want to grant this access to. This is something we might be able to do something about, though, and would love if if you could cut us a Github issue so we can prioritize and gather feedback on a proposal.
I'm attempting to achieve the following through CloudFormation.
From a stack created in EU region I want to create (and verify) a public certificate against Route53 in US-EAST-1 due to using Cloudfront. Aiming to have zero actions performed in the console or AWS CLI.
The new CloudFormation support for ACM was a little sketchy last week but seems to be working now.
Certifcate
Resources:
Certificate:
Type: AWS::CertificateManager::Certificate
Properties:
DomainName: !Sub "${Env}.domain.cloud"
ValidationMethod: DNS
DomainValidationOptions:
-
DomainName: !Sub "${Env}.domain.cloud"
HostedZoneId: !Ref HostedZoneId
All I need to do is use Cloudformation to deploy this into the US-EAST-1 region from stack in a different region. Everything else is ready for this.
I thought that using Codepipeline's cross region support would be great so I started to look into [this documentation][1] after getting setting things up in my template I met the following error message...
An error occurred while validating the artifact bucket {...} The bucket named is not located in the `us-east-1` AWS region.
To me this makes no sense as it seems that you already need at least a couple of resources to exist in target region for it to work. Cart before the horse kind of behavior. To test this I create an artifact bucket in the target region by hand and things worked fine, but requires using CLI or the console when I'm aiming for a CloudFormation based solution.
Note: I'm running out of time to write this so I'll update it when I can in a few hours time. any help before I can do that would be great though
Sadly, that's required for cross-region CodePipeline. From docs:
When you create or edit a pipeline, you must have an artifact bucket in the pipeline Region and then you must have one artifact bucket per Region where you plan to execute an action.
If you want to fully automate this through CloudFormation, you either have to use custom resource to create buckets in all the regions in advance or look at stack sets to deploy one template bucket in multiple regions.
p.s.
Your link does not work, thus I'm not sure if you refer to the same documentation page.
I want to use CloudFormation. package and deploy functions but how do I go about determining what IAM permissions are required to run these?
In general, how do I determine what permissions are required?
Based on the fact that you are using this for Lambda, I'm guessing that this is related to your other question CloudFormation to setup CodePipeline/CodeBuild to deploy SAM application.
In the answer to that question I referenced an Example CloudFormation Template. If you look at the CloudFormationServicePolicy from that example, you will likely find everything you need.
For the answer to this specific question though, there are two parts
To package you'll need:
A Deployment Artifact bucket (ArtifactBucket)
s3:PutObject permissions for the user to the ArtifactBucket
To deploy is much harder to answer. In the above referenced CloudFormationServicePolicy you can find a full set of permissions we use with CloudFormation to deploy a function. At the very least, you'll need:
iam:PassRole (assuming you're passing an existing role)
lambda:CreateFunction
lambda:UpdateFunctionCode
lambda:UpdateFunctionConfiguration
lambda:AddPermission
lambda:GetEventSourceMapping
lambda:CreateEventSourceMapping
lambda:DeleteEventSourceMapping
If you're doing your deploy through the console, you'll likely also need:
iam:GetRole
iam:ListRole
lambda:GetFunction
lambda:GetFunctionConfiguration
I created S3 bucket using Cloud formation template script.
Now i want to access S3 bucket name and end point from instance metadata.
Any help?
To enable applications running on an Amazon EC2 instance to access Amazon S3 (or any AWS service), you can create an IAM Role for the EC2 instance and assign it to the instance.
Applications on that instance that use the AWS SDK to make API calls to AWS will automatically have access to credentials with permissions described in the assigned role.
Your particular situation is slightly difficult because the CloudFormation template will create a bucket with a unique name, while your IAM Role will want to know the exact name of the Amazon S3 bucket. This can be accomplished by referring to the S3 bucket that was created within the CloudFormation template.
The template would need to create these resources:
AWS::S3::Bucket
AWS::IAM::Role to define the permissions
AWS::IAM::InstanceProfile to link the role to the EC2 instance
AWS::EC2::Instance that refers to the IAM Role
Within the definition of the IAM Role, the ARN for the S3 bucket would need to refer to the bucket created elsewhere in the template. This would require a bit of string manipulation to insert the correct value into the policy.
If you run into difficulty, feel free to create another StackOverflow question showing the template that you have been working on, highlighting the part that is causing difficulty.