i am trying to launch a CFT using the AWS Cloud Trail API. The problem is, when i launch the CFT directly into the AWS console it presents me with a IAM capability check screen
how can i handle this check box while using the API.
Using the API
Capabilities.member.N
A list of values that you must specify before AWS CloudFormation can create certain stacks. Some stack templates might include resources that can affect permissions in your AWS account, for example, by creating new AWS Identity and Access Management (IAM) users. For those stacks, you must explicitly acknowledge their capabilities by specifying this parameter.
The only valid values are CAPABILITY_IAM and CAPABILITY_NAMED_IAM. The following resources require you to specify this parameter: AWS::IAM::AccessKey, AWS::IAM::Group, AWS::IAM::InstanceProfile, AWS::IAM::Policy, AWS::IAM::Role, AWS::IAM::User, and AWS::IAM::UserToGroupAddition. If your stack template contains these resources, we recommend that you review all permissions associated with them and edit their permissions if necessary.
If you have IAM resources, you can specify either capability. If you have IAM resources with custom names, you must specify CAPABILITY_NAMED_IAM. If you don't specify this parameter, this action returns an InsufficientCapabilities error.
For more information, see Acknowledging IAM Resources in AWS CloudFormation Templates.
Type: Array of strings
Valid Values: CAPABILITY_IAM | CAPABILITY_NAMED_IAM
http://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_CreateStack.html
Using the AWS CLI
--capabilities (list)
A list of values that you must specify before AWS CloudFormation can create certain stacks. Some stack templates might include resources that can affect permissions in your AWS account, for example, by creating new AWS Identity and Access Management (IAM) users. For those stacks, you must explicitly acknowledge their capabilities by specifying this parameter.
The only valid values are CAPABILITY_IAM and CAPABILITY_NAMED_IAM . The following resources require you to specify this parameter: AWS::IAM::AccessKey , AWS::IAM::Group , AWS::IAM::InstanceProfile , AWS::IAM::Policy , AWS::IAM::Role , AWS::IAM::User , and AWS::IAM::UserToGroupAddition . If your stack template contains these resources, we recommend that you review all permissions associated with them and edit their permissions if necessary.
If you have IAM resources, you can specify either capability. If you have IAM resources with custom names, you must specify CAPABILITY_NAMED_IAM . If you don't specify this parameter, this action returns an InsufficientCapabilities error.
http://docs.aws.amazon.com/cli/latest/reference/cloudformation/create-stack.html
Related
enter image description here
in aws cloudformation why do we have to edit iam roles in template only then why is the option given in console,when trying to update iam role it says nothing to update
The role in question is used to grant the Cloudformation the permissions to deploy specific resources as part of the stack. By default if you don't specify what role the stack should use, it will use the permissions assigned to a user that's creating the CFN stack. So for example in case you don't have permissions to deploy an IAM resources and you try to deploy a CFN stack containing an IAM Role it will fail due to lack of permissions. This is where the Cloudformation IAM Roles come in handy. You can have a Cloudformation role deployed that has more permissions that the role you're using to deploy the stack itself and by assigning it to the CFN stack you're now able to privision those resources.
To update the IAM Role that the stack uses without making any changes to the stack resources you can got to Update -> Use current template -> Change IAM role (in Permissions) pick the role you want the stack to use and click Update stack. Once completed you can check the Stack info and in Overview the new IAM Role arn should be listed.
When deploying the resources from the pipeline or aws cli you can also specify the role you want your stack to use to provision the resources.
aws cloudformation deploy \
--template-file package.yaml \
--stack-name YOUR-STACK-NAME \
--role-arn arn:aws:iam::123456789012:role/YOUR-IAM-ROLE
Your screenshot shows AWS CloudFormation (CFN) service role. This is totally different role from those in your templates. Namely, CFN will use that role to create/update your stack. By default CFN uses your own IAM user permissions, but you can tell CFN to use the given CFN service role instead.
I want to create a S3 Bucket via CloudFormation template. I found there is a way to do it for EC2 instance on this link.
Do we have a way to create S3 bucket using existing IAM role via cloudformation?
It looks like what you're looking for is a service role. From AWS:
A service role is an AWS Identity and Access Management (IAM) role that allows AWS CloudFormation to make calls to resources in a stack on your behalf. You can specify an IAM role that allows AWS CloudFormation to create, update, or delete your stack resources. By default, AWS CloudFormation uses a temporary session that it generates from your user credentials for stack operations. If you specify a service role, AWS CloudFormation uses the role's credentials.
For more information, you might want to take a look at this, specifically the permission part to find out how to use an existing IAM role for creating a Cloudformation stack.
By the way: Unfortunately the link that you've provided doesn't seem to be accessible anymore.
When deploying infrastructure using creating Cloudformation template, you can have 2 ways to do it:
Cloudformation can deploy resources using the permissions of the current user who deploys the CF template. This is the default way
Secondly (Optional), you can choose an existing role that can be attached to the CF template. Cloudformation service will use the permissions of that attached role to deploy all the required services. Given that the attached role has permissions to S3, you can create an S3 bucket as can be seen in the attached screenshot
I want to use CloudFormation. package and deploy functions but how do I go about determining what IAM permissions are required to run these?
In general, how do I determine what permissions are required?
Based on the fact that you are using this for Lambda, I'm guessing that this is related to your other question CloudFormation to setup CodePipeline/CodeBuild to deploy SAM application.
In the answer to that question I referenced an Example CloudFormation Template. If you look at the CloudFormationServicePolicy from that example, you will likely find everything you need.
For the answer to this specific question though, there are two parts
To package you'll need:
A Deployment Artifact bucket (ArtifactBucket)
s3:PutObject permissions for the user to the ArtifactBucket
To deploy is much harder to answer. In the above referenced CloudFormationServicePolicy you can find a full set of permissions we use with CloudFormation to deploy a function. At the very least, you'll need:
iam:PassRole (assuming you're passing an existing role)
lambda:CreateFunction
lambda:UpdateFunctionCode
lambda:UpdateFunctionConfiguration
lambda:AddPermission
lambda:GetEventSourceMapping
lambda:CreateEventSourceMapping
lambda:DeleteEventSourceMapping
If you're doing your deploy through the console, you'll likely also need:
iam:GetRole
iam:ListRole
lambda:GetFunction
lambda:GetFunctionConfiguration
How are trust policies assumed by AWS Services exactly. The documentation is melting my brain— follow this link, follow that link in circles.
Can someone end the suffering and just tell me that how, from my terminal, if I have admin permissions configured, how can I force an AWS service to assume a trust policy.
For example, if I update a CloudFormation stack with the AWS CLI using aws cloudformation deploy args, how do I ensure that cloudformation is assuming the trust policy's permissions that I've configured for it and not my the immediate credentials I am currently using?
Thanks so much
From AWS CloudFormation Service Role:
To associate a service role with a stack, specify the role when you create the stack.
When creating a stack in the management console or via aws cloudformation create-stack, you should specify --role-arn. All operations on the stack will then use the Role, not your own credentials.
If you stack is already created, update-stack --role-arn can be used. From the documentation:
AWS CloudFormation uses the role's credentials to make calls on your behalf. AWS CloudFormation always uses this role for all future operations on the stack.
So if I were to create a federated developer role for developers (duh) and push it to AWS in the form of a cf template, the role's name is simply what I named it. But for some reason, if the role is designed for AWS services/resources to assume (say, a Lambda role for EC2 instances), the role has a seemingly random string of 12 characters appended to it.
Ex: iam-lam-role-85C94J38RDE2
Why does CloudFormation append this automatically?
Refer to the Name Type section of the CloudFormation documentation:
By default, AWS CloudFormation generates a unique physical ID to name a resource. For example, AWS CloudFormation might name an Amazon S3 bucket with the following physical ID stack123123123123-s3bucket-abcdefghijk1. [...]
If you want to use a custom name, specify a name property for that resource in your AWS CloudFormation template.
For AWS::IAM::Role (which is one of the resources that supports custom names), specify the RoleName property to provide a custom name.
Your question suggests that the default physical ID actually changes based on the contents of the AssumeRolePolicyDocument property within the AWS::IAM::Role resource. I haven't observed any such behavior in practice, so I think it's likely you specified a RoleName for one resource and not the other.
CloudFormation appends random characters to the physical ID so there won't be name collisions between 2 IAM roles. In a given AWS account, there cannot be 2 IAM roles with the same name.
If you were to create 2 CloudFormation stacks that each contain an IAM role with the same logical ID (e.g. MyRole), there would be name collisions for the IAM roles created. That's why CloudFormation generates a random name for your IAM roles (e.g. MyRole-85C94J38RDE2 and MyRole-78DM29SKFJD8).
If you want to assign a fixed name for your IAM roles, you can use the RoleName property.