So if I were to create a federated developer role for developers (duh) and push it to AWS in the form of a cf template, the role's name is simply what I named it. But for some reason, if the role is designed for AWS services/resources to assume (say, a Lambda role for EC2 instances), the role has a seemingly random string of 12 characters appended to it.
Ex: iam-lam-role-85C94J38RDE2
Why does CloudFormation append this automatically?
Refer to the Name Type section of the CloudFormation documentation:
By default, AWS CloudFormation generates a unique physical ID to name a resource. For example, AWS CloudFormation might name an Amazon S3 bucket with the following physical ID stack123123123123-s3bucket-abcdefghijk1. [...]
If you want to use a custom name, specify a name property for that resource in your AWS CloudFormation template.
For AWS::IAM::Role (which is one of the resources that supports custom names), specify the RoleName property to provide a custom name.
Your question suggests that the default physical ID actually changes based on the contents of the AssumeRolePolicyDocument property within the AWS::IAM::Role resource. I haven't observed any such behavior in practice, so I think it's likely you specified a RoleName for one resource and not the other.
CloudFormation appends random characters to the physical ID so there won't be name collisions between 2 IAM roles. In a given AWS account, there cannot be 2 IAM roles with the same name.
If you were to create 2 CloudFormation stacks that each contain an IAM role with the same logical ID (e.g. MyRole), there would be name collisions for the IAM roles created. That's why CloudFormation generates a random name for your IAM roles (e.g. MyRole-85C94J38RDE2 and MyRole-78DM29SKFJD8).
If you want to assign a fixed name for your IAM roles, you can use the RoleName property.
Related
i am trying to launch a CFT using the AWS Cloud Trail API. The problem is, when i launch the CFT directly into the AWS console it presents me with a IAM capability check screen
how can i handle this check box while using the API.
Using the API
Capabilities.member.N
A list of values that you must specify before AWS CloudFormation can create certain stacks. Some stack templates might include resources that can affect permissions in your AWS account, for example, by creating new AWS Identity and Access Management (IAM) users. For those stacks, you must explicitly acknowledge their capabilities by specifying this parameter.
The only valid values are CAPABILITY_IAM and CAPABILITY_NAMED_IAM. The following resources require you to specify this parameter: AWS::IAM::AccessKey, AWS::IAM::Group, AWS::IAM::InstanceProfile, AWS::IAM::Policy, AWS::IAM::Role, AWS::IAM::User, and AWS::IAM::UserToGroupAddition. If your stack template contains these resources, we recommend that you review all permissions associated with them and edit their permissions if necessary.
If you have IAM resources, you can specify either capability. If you have IAM resources with custom names, you must specify CAPABILITY_NAMED_IAM. If you don't specify this parameter, this action returns an InsufficientCapabilities error.
For more information, see Acknowledging IAM Resources in AWS CloudFormation Templates.
Type: Array of strings
Valid Values: CAPABILITY_IAM | CAPABILITY_NAMED_IAM
http://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_CreateStack.html
Using the AWS CLI
--capabilities (list)
A list of values that you must specify before AWS CloudFormation can create certain stacks. Some stack templates might include resources that can affect permissions in your AWS account, for example, by creating new AWS Identity and Access Management (IAM) users. For those stacks, you must explicitly acknowledge their capabilities by specifying this parameter.
The only valid values are CAPABILITY_IAM and CAPABILITY_NAMED_IAM . The following resources require you to specify this parameter: AWS::IAM::AccessKey , AWS::IAM::Group , AWS::IAM::InstanceProfile , AWS::IAM::Policy , AWS::IAM::Role , AWS::IAM::User , and AWS::IAM::UserToGroupAddition . If your stack template contains these resources, we recommend that you review all permissions associated with them and edit their permissions if necessary.
If you have IAM resources, you can specify either capability. If you have IAM resources with custom names, you must specify CAPABILITY_NAMED_IAM . If you don't specify this parameter, this action returns an InsufficientCapabilities error.
http://docs.aws.amazon.com/cli/latest/reference/cloudformation/create-stack.html
I created S3 bucket using Cloud formation template script.
Now i want to access S3 bucket name and end point from instance metadata.
Any help?
To enable applications running on an Amazon EC2 instance to access Amazon S3 (or any AWS service), you can create an IAM Role for the EC2 instance and assign it to the instance.
Applications on that instance that use the AWS SDK to make API calls to AWS will automatically have access to credentials with permissions described in the assigned role.
Your particular situation is slightly difficult because the CloudFormation template will create a bucket with a unique name, while your IAM Role will want to know the exact name of the Amazon S3 bucket. This can be accomplished by referring to the S3 bucket that was created within the CloudFormation template.
The template would need to create these resources:
AWS::S3::Bucket
AWS::IAM::Role to define the permissions
AWS::IAM::InstanceProfile to link the role to the EC2 instance
AWS::EC2::Instance that refers to the IAM Role
Within the definition of the IAM Role, the ARN for the S3 bucket would need to refer to the bucket created elsewhere in the template. This would require a bit of string manipulation to insert the correct value into the policy.
If you run into difficulty, feel free to create another StackOverflow question showing the template that you have been working on, highlighting the part that is causing difficulty.
This page https://www.terraform.io/docs/providers/aws/r/iam_role.html mentions:
NOTE: This assume_role_policy is very similar but slightly different
than just a standard IAM policy and cannot use an aws_iam_policy
resource. It can however, use an aws_iam_policy_document data source,
see example below for how this could work.
Is there any reason why the assume_role_policy is different from the standard IAM policy?
Any why?
An assume role policy is a special policy associated with a role that controls which principals (users, other roles, AWS services, etc) can "assume" the role. Assuming a role means generating temporary credentials to act with the privileges granted by the access policies associated with that role.
An assume role policy differs from a normal policy in the following ways:
It is a property of the role itself, rather than a separate object associated with the role. There is only one assume role policy per role.
The only Action values that have any meaning in an assume role policy are sts:AssumeRole and some other variants on it (at the time of writing, sts:AssumeRoleWithSAML and sts:AssumeRoleWithWebIdentity). Those are the API operations used to obtain the temporary credentials for the role.
It is the first of these differences that creates the difference mentioned in the Terraform documentation: since a role has exactly one IAM policy and it is declared directly as part of the role, its policy document must be provided as an attribute of the aws_iam_role resource. The aws_iam_policy_document data source is just a simple transform of its input into an IAM JSON policy document format, so it can be used to generate the value of the assume_role_policy attribute.
When an AWS service makes calls to another API service on your behalf, it is internally obtaining temporary credentials for the role you designate, which it can then use to make calls to other service APIs. It is for this reason that it is necessary to create roles and assign them to services such as AWS Lambda, EC2 (via instance profiles), Kinesis Firehose, etc.
I wrote a more elaborate description of this as part of an answer to another question, which gives some examples of practical IAM roles, assume role policies and regular policies.
I made a typo while creating an IAM role to allow a lambda function to access the cloudwatch logs and to create EC2 volumes snapshots. Is there any way to rename the role, whether by using the console or the AWS CLI ?
You cannot edit IAM roles after the role has been created. This is mentioned in several places, including when the role is created through the IAM console.
And in several places in the docs.
For Role name, type a role name to help identify the purpose of this role. Role names must be unique within your AWS account. After you enter the name, click Next Step.
Role names have character limitations. The number of roles in an AWS account and the policy size for policies attached to roles are also limited. For more information, see Limitations on IAM Entities and Objects. Note that you cannot edit the name of the role after it is created.
It is not possible to edit the name via the console or AWS CLI.
I want to add a dropdown for an existing IAM roles while creating a stack. The Parameter Type - AWS::IAM::Role gives only a text box to put the IAM role.I already have a role defined to create a stack and launch an instance. But how do I show the roles in the dropdown?
The snippets given in the documentation refer to the IAM policy creation and root user access.
Any suggestions for IAM Role drop down?
Not possible. CloudFOrmation supports only the following AWS-Specific Parameter Types: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/parameters-section-structure.html#aws-specific-parameter-types