is there a way that i could update an existing roles iam (inline) policy.
Process followed for now:
1) I am able to create an role
2) I am able to attach a managed policy
3) I am able to attach an inline policy
I accept 2 parameters in the script one is an externalid and another is the role name. If the enduser or customer specifies an input for an existing role then i would have update the existing role's IAM Policy and i have to add new aws services to the existing policy
Thanks
Nataraj
This is straightforward with update stack.
ASR Thank you very much for your input
Related
I want to add a new role to an existing redshift cluster using CloudFormation.
How Can I add it?
Here are the AWS docs for a manual change
To associate an IAM role with a cluster
Sign in to the AWS Management Console and open the Amazon Redshift console at https://console.aws.amazon.com/redshift/
On the navigation menu, choose Clusters, then choose the name of the cluster that you want to update.
For Actions, choose Manage IAM roles. The IAM roles page appears.
Either Choose Enter ARN and then enter an ARN or an IAM role, or choose an IAM role from the list. Then choose Add IAM role to add it to the list of Attached IAM roles.
Choose Done to associate the IAM role with the cluster. The cluster is modified to complete the change.
Via Cloudformation, you would use the IamRoles attribute, as outlined here.
I want to create an access key in IAM-User, but I don't have permission to do that, so I want to use cloudformation to create an IAM user/role which I have permission, can anyone shows me a template for that? I couldn't find a correct one, Thanks
I don't have permission to do that
If you don't have permissions to create IAM users/roles you can't create them with CloudFormation either as it uses your permissions, which you lack, to create resources.
The only way would be if you were given a role which can be assumed by CloudFormation to create IAM entities, instead of using your permissions. But this is unlikely. You can ask your AWS admins if they can create/give you such a role for CloudFormation.
I'm new to AWS and I have a task to add tags to different resources.
I'm getting this error on the CloudFormation
Did not have IAM permissions to process tags on AWS::CodePipeline::Pipeline resource.
Is anyone familiar with this? I just added Tags in Properties.
Thanks in advance!
Your Cloudformation is probably correct, but the IAM User or Role doesn't have the IAM permissions for codepipeline:TagResource
Checkout the available IAM actions for Codepipeline and ensure your IAM user/role has these permissions
The error says it all. Check the IAM permissions of the cloudformation role that they can assign tags to the codepipeline resource. If you are using specific permissions you will need to enable TagResource, otherwise if the role has permissions:
"codepipeline":"*"
Ensure that they are able to apply them to the resource in question.
I need to provide IAM role creation permission to a user but with a condition that if he does it only from some AWS service.
For example, if a user running cloudformation stack and attempting to create an IAM role, he should be allowed. if he manually creating role it should be denied. or if a person creating a codepipeline he should have permission to create the role.
The concept you are looking for sounds like service-linked roles.
https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html
https://aws.amazon.com/blogs/security/introducing-an-easier-way-to-delegate-permissions-to-aws-services-service-linked-roles/
However, I don't think it is supported for CloudFormation or CodePipeline
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html
I made a typo while creating an IAM role to allow a lambda function to access the cloudwatch logs and to create EC2 volumes snapshots. Is there any way to rename the role, whether by using the console or the AWS CLI ?
You cannot edit IAM roles after the role has been created. This is mentioned in several places, including when the role is created through the IAM console.
And in several places in the docs.
For Role name, type a role name to help identify the purpose of this role. Role names must be unique within your AWS account. After you enter the name, click Next Step.
Role names have character limitations. The number of roles in an AWS account and the policy size for policies attached to roles are also limited. For more information, see Limitations on IAM Entities and Objects. Note that you cannot edit the name of the role after it is created.
It is not possible to edit the name via the console or AWS CLI.