we have a management account for our different environments where we store data in a central location. I have a json file to be used as a stack in one of our AWS accounts. The templateURL property in aws::cloudformation::stack must point to the S3 bucket in the management account. I created a role in the dev account that trusts the main account and allows access to s3. I have tested access by using the "Switch Role" feature in AWS. I have attached that role to CloudFormation during the "Create Stack" step. However, when it is launched specifying the URL of the S3 bucket in the main account, I get error "templateURL must reference a valid S3 object to which you have access."
Looking for advice or help and much appreciated :)
Related
I have created an S3 Bucket, with the cloud formation, Lets Say Bucket Name is S3Bucket,
I don't want this bucket getting deleted if I delete stack, so added Deletion Policy to Retain,
Now the problem here is, If run the stack again, it complains S3Bucket name already exists.
If a bucket already exists, it should not complain.
What to do for this.
Please help
I faced this in the past and what i did in order to resolve this is that i created a common AWS cloudformation template/stack which will create all our common resources which are static(Handle it like a bootstrap template).
Usually i am adding in this template the creation of s3 buckets,VPC, networking, databases creation, etc.
Then you can create other AWS cloudformation templates/stacks for your rest resources which are dynamic and changing usually like lambdas,ec2, api gateway etc.
S3 names are globally unique. (e.g if I have s3 bucket in my AWS account s3-test, you cannot have a bucket with the same name).
The only way to use same name is to delete the bucket, or retype your cloud formation template and use new cloud formation feature to import resource:
https://aws.amazon.com/blogs/aws/new-import-existing-resources-into-a-cloudformation-stack/
I am trying to create a CloudFormation Template (CFT) for a S3 Bucket that needs to be "PublicRead" and that also has "Requester Pays" turned on.
I have looked at the documentation for S3 Bucket CFTs: AWS::S3::Bucket - AWS CloudFormation
Also I have looked at the documentation for "Requester Pays", but it fails to mention anything about CFTs. It only references enabling it through the console and with the REST API:
Requester Pays Buckets - Amazon Simple Storage Service
Right now we are trying to get all our infrastructure into infrastructure as code, but this is a somewhat large blocker for that. I have heard that other people have had trouble with CFTs not supporting some features from AWS services, but usually those are for unpopular/newer services. I would think that CFT would support all the options that S3 has for buckets.
You are correct. The CloudFormation AWS::S3::Bucket resources does not support Requester Pays.
The enable it, you would need to make an API call such as put_bucket_request_payment():
Sets the request payment configuration for a bucket. By default, the bucket owner pays for downloads from the bucket. This configuration parameter enables the bucket owner (only) to specify that the person requesting the download will be charged for the download.
response = client.put_bucket_request_payment(
Bucket='string',
RequestPaymentConfiguration={
'Payer': 'Requester'|'BucketOwner'
}
)
This could be done by adding an AWS Lambda custom resource to the CloudFormation template, or by using the AWS CLI from an Amazon EC2 instance that is created as part of the stack.
I want to create a S3 Bucket via CloudFormation template. I found there is a way to do it for EC2 instance on this link.
Do we have a way to create S3 bucket using existing IAM role via cloudformation?
It looks like what you're looking for is a service role. From AWS:
A service role is an AWS Identity and Access Management (IAM) role that allows AWS CloudFormation to make calls to resources in a stack on your behalf. You can specify an IAM role that allows AWS CloudFormation to create, update, or delete your stack resources. By default, AWS CloudFormation uses a temporary session that it generates from your user credentials for stack operations. If you specify a service role, AWS CloudFormation uses the role's credentials.
For more information, you might want to take a look at this, specifically the permission part to find out how to use an existing IAM role for creating a Cloudformation stack.
By the way: Unfortunately the link that you've provided doesn't seem to be accessible anymore.
When deploying infrastructure using creating Cloudformation template, you can have 2 ways to do it:
Cloudformation can deploy resources using the permissions of the current user who deploys the CF template. This is the default way
Secondly (Optional), you can choose an existing role that can be attached to the CF template. Cloudformation service will use the permissions of that attached role to deploy all the required services. Given that the attached role has permissions to S3, you can create an S3 bucket as can be seen in the attached screenshot
I created S3 bucket using Cloud formation template script.
Now i want to access S3 bucket name and end point from instance metadata.
Any help?
To enable applications running on an Amazon EC2 instance to access Amazon S3 (or any AWS service), you can create an IAM Role for the EC2 instance and assign it to the instance.
Applications on that instance that use the AWS SDK to make API calls to AWS will automatically have access to credentials with permissions described in the assigned role.
Your particular situation is slightly difficult because the CloudFormation template will create a bucket with a unique name, while your IAM Role will want to know the exact name of the Amazon S3 bucket. This can be accomplished by referring to the S3 bucket that was created within the CloudFormation template.
The template would need to create these resources:
AWS::S3::Bucket
AWS::IAM::Role to define the permissions
AWS::IAM::InstanceProfile to link the role to the EC2 instance
AWS::EC2::Instance that refers to the IAM Role
Within the definition of the IAM Role, the ARN for the S3 bucket would need to refer to the bucket created elsewhere in the template. This would require a bit of string manipulation to insert the correct value into the policy.
If you run into difficulty, feel free to create another StackOverflow question showing the template that you have been working on, highlighting the part that is causing difficulty.
I am currently trying to enable AWS Config notifications on multiple accounts. I have enabled monitoring on each individual account with its own S3 bucket and SNS topic, but it would make more sense to have one centralized bucket and topic. I am trying to implement this with little success.
I have created an s3 bucket and target ARN but when I try and apply the changes I get an error of insufficient delivery policy
Note I am doing this through the AWS console and not with code.
To do this, you need two pieces:
The Identity and Access Management (IAM) Role being used must have permissions to deliver data to the common S3 bucket and SNS Topic. You'll need to go to the IAM Management Console, and edit the role being used by Config in each account and update the S3 bucket/SNS names in "PutObject", "GetBucketACL" and "sns:Publish"
You also need to allow the S3 bucket and SNS Topic to receive data from this new role. See
a. http://docs.aws.amazon.com/awscloudtrail/latest/userguide/aggregating_logs_accounts_bucket_policy.html
b. http://docs.aws.amazon.com/sns/latest/dg/AccessPolicyLanguage_UseCases_Sns.html