How are trust policies assumed by AWS Services exactly. The documentation is melting my brain— follow this link, follow that link in circles.
Can someone end the suffering and just tell me that how, from my terminal, if I have admin permissions configured, how can I force an AWS service to assume a trust policy.
For example, if I update a CloudFormation stack with the AWS CLI using aws cloudformation deploy args, how do I ensure that cloudformation is assuming the trust policy's permissions that I've configured for it and not my the immediate credentials I am currently using?
Thanks so much
From AWS CloudFormation Service Role:
To associate a service role with a stack, specify the role when you create the stack.
When creating a stack in the management console or via aws cloudformation create-stack, you should specify --role-arn. All operations on the stack will then use the Role, not your own credentials.
If you stack is already created, update-stack --role-arn can be used. From the documentation:
AWS CloudFormation uses the role's credentials to make calls on your behalf. AWS CloudFormation always uses this role for all future operations on the stack.
Related
I'm trying to create a botocore session (that does not use my local AWS credentials on ~/.aws/credentials). In other words, I want to create a "burner AWS account". With that burner credentials/session, I want to setup an STS client and with that client, assume a role in order to access a DynamoDB database. Can someone provide some example code which accomplishes exactly this?
Because if I want my system to go into production environment, I CANNOT store the AWS credentials on Github because AWS will scan for it. I'm trying to implement a workaround such that we don't have to store ~/.aws/credentials file on Github.
The running a task in Amazon ECS, simply assign an IAM Role to the task.
Amazon ECS will then generate temporary credentials for that IAM Role. Any code that uses an AWS SDK (such as boto3 for Python) knows how to access those credentials via the metadata service.
The result is that your code using boto3 will automatically receive credentials that have the permissions associated with the IAM Role assigned to the task.
See: IAM roles for tasks - Amazon Elastic Container Service
enter image description here
in aws cloudformation why do we have to edit iam roles in template only then why is the option given in console,when trying to update iam role it says nothing to update
The role in question is used to grant the Cloudformation the permissions to deploy specific resources as part of the stack. By default if you don't specify what role the stack should use, it will use the permissions assigned to a user that's creating the CFN stack. So for example in case you don't have permissions to deploy an IAM resources and you try to deploy a CFN stack containing an IAM Role it will fail due to lack of permissions. This is where the Cloudformation IAM Roles come in handy. You can have a Cloudformation role deployed that has more permissions that the role you're using to deploy the stack itself and by assigning it to the CFN stack you're now able to privision those resources.
To update the IAM Role that the stack uses without making any changes to the stack resources you can got to Update -> Use current template -> Change IAM role (in Permissions) pick the role you want the stack to use and click Update stack. Once completed you can check the Stack info and in Overview the new IAM Role arn should be listed.
When deploying the resources from the pipeline or aws cli you can also specify the role you want your stack to use to provision the resources.
aws cloudformation deploy \
--template-file package.yaml \
--stack-name YOUR-STACK-NAME \
--role-arn arn:aws:iam::123456789012:role/YOUR-IAM-ROLE
Your screenshot shows AWS CloudFormation (CFN) service role. This is totally different role from those in your templates. Namely, CFN will use that role to create/update your stack. By default CFN uses your own IAM user permissions, but you can tell CFN to use the given CFN service role instead.
is there a way to find out what all resources are using an IAM role. Because I want to modify that and wanted to check what all could affect my modification.
Not quite.
Services can "assume" a role. This happens when the activity is run (eg when an AWS Lambda function is invoked, or when an Amazon EC2 instance is launched). Thus, there is no permanent 'link' between roles and services. Therefore, it is not possible to say "list me everything that is using this IAM Role".
However, you could list services and see which roles they are configured to use. For example, you could describe EC2 instances and check what IAM Role they are configured to use. However, you would need to do this for all services that you know are potentially using the roles.
You can find where an IAM role is used from based on the past usage.
I can think of few ways.
method 1 - Access Advisor
click the "Access Advisor" tab section that appears when you click an IAM role
check last accessed time of each services
method 2 - Cloudtrail
the cli command will tell you which services/user assumed the role and also the action they performed.
aws cloudtrail lookup-events --max-results 20 --lookup-attributes AttributeKey=ResourceName,AttributeValue=arn:aws:iam::012345678901:role/lambdaRole --output json --query "Events[*].[CloudTrailEvent]"
I want to create a S3 Bucket via CloudFormation template. I found there is a way to do it for EC2 instance on this link.
Do we have a way to create S3 bucket using existing IAM role via cloudformation?
It looks like what you're looking for is a service role. From AWS:
A service role is an AWS Identity and Access Management (IAM) role that allows AWS CloudFormation to make calls to resources in a stack on your behalf. You can specify an IAM role that allows AWS CloudFormation to create, update, or delete your stack resources. By default, AWS CloudFormation uses a temporary session that it generates from your user credentials for stack operations. If you specify a service role, AWS CloudFormation uses the role's credentials.
For more information, you might want to take a look at this, specifically the permission part to find out how to use an existing IAM role for creating a Cloudformation stack.
By the way: Unfortunately the link that you've provided doesn't seem to be accessible anymore.
When deploying infrastructure using creating Cloudformation template, you can have 2 ways to do it:
Cloudformation can deploy resources using the permissions of the current user who deploys the CF template. This is the default way
Secondly (Optional), you can choose an existing role that can be attached to the CF template. Cloudformation service will use the permissions of that attached role to deploy all the required services. Given that the attached role has permissions to S3, you can create an S3 bucket as can be seen in the attached screenshot
I am trying to work out the logic flow for an AWS CloudFormation template that will assume an IAM role that can pull files from a S3 bucket in another AWS account.
What I have so far is:
accountA has a roleA
roleA has policy that allows sts:AssumeRole for a role in accountB :arn:aws:iam::11122233444:role/AllowPullS3
accountB has role(AllowPullS3) with
policy allow:s3 listBucket + get,put,delete
trust relationship for accountA :Action:"sts:AssumeRole"
If I create an EC2 instance manually with the IAM:roleA and then use the CLI to get the assume-role credentials, I can then pull the files from the other account's S3 bucket as expected.
But what do I need to put where in my accountA CF template that will allow the EC2 instance to assume roleB and pull the file from the accountB S3 bucket as part of the formation?
I have tried following a lot of tutorials such as this cfn-iam:init tutorial but still can not fully grasp what goes where.
Thanks for your advice.
Art
It is not possible to tell CloudFormation to assume another role.
However, if you have a CLI script/command that works on the Amazon EC2 instance, then just pass that script as User Data. The script will run when your instance starts. User Data can be passed in your CloudFormation template, where the EC2 instance is defined.
See: Running Commands on Your Linux Instance at Launch