I am trying to figure out if there is a way to change an OpsWorks role of a running stack (without having to clone the entire stack)
You can change the role in the stack settings, but the instances you have created up to now will still have the old role. Any new instances you create after that will have the new role.
Opsworks or not, once an instance is assigned a role, it cannot be changed, you can only create a new instance with a different role.
The role policies can be changed any time though, so if you need to make changes, you can just attach a new policy to an existing role rather than creating a new role.
Related
I want to create a number of EC2 instances via an AutoScalingGroup using CDK.
AutoScalingGroup ec2Asg = AutoScalingGroup.Builder.create(this, "Ec2Asg")
.role(myEc2InstanceProfileRole)
... further config here ...
.build();
If possible, I'd like to restrict each instance in the ASG to only be able to access certain resources where the instance's ID forms part of the resource. For example:
arn:aws:ssm:REGION:ACCOUNT:parameter/<INSTANCE ID>/*
How is best to achieve this?
Unfortunately this would not be possible for what you're trying to achieve. The IAM permissions for an EC2 instance are not assigned to the instance itself, they are instead attached to an IAM entity (such as the instances IAM role).
SSM parameters do support a hierarchy so you can create a parameter such as arn:aws:ssm:REGION:ACCOUNT:parameter/InstanceRole/i-1234567/parameter and then limit the IAM role to only access resources which match the pattern arn:aws:ssm:REGION:ACCOUNT:parameter/InstanceRole/.
By doing this you can at least limit the scope for your instances in the same ASG. Also be aware that the parameters themselves would still be accessible for any IAM resources with the permissions granted to them.
I want to create permissions for AWS CloudFormation.
I have to provide delete permission. How can I restrict in a way so that it can only delete resources which were created by CloudFormation?
AWS CloudFormation will only delete resources that it originally created.
When deploying a stack, CloudFormation will create resources using the permissions associated with the credentials that created the stack. Or, if an IAM Role is specified when the stack is created, it will use those credentials to create resources.
When deleting resources, it will use the same credentials.
It is not possible to create permissions that say "only delete resources that were created by CloudFormation" because the permissions are defined outside of CloudFormation.
I know that CloudFormation adds tags to most (all?) of the resources it creates, so you might be able to do some fancy stuff with tags, but it generally shouldn't be necessary because CloudFormation will only delete resources it originally created.
I see that there is only one role that can be assigned through aws console.
A role can have multiple policies.
Is there a possibility/necessity to assign more than one role to EC2?
No, it is not possible nor there is a necessity.
If your IAM Role needs to access multiple resources, you can do so by attaching multiples policies to a single IAM Role.
For more information, check Policies and Permissions
AWS does not support the ability to assign more than one instance role to an instance.
From the AWS user guide:
An instance profile can contain only one IAM role. This limit cannot be increased.
The instance can be assigned a role and that role can be assigned multiple policies. Or you can create a single policy that contains all permissions necessary for that instance.
See: Instance Roles for EC2
I have created a few environments before so I know how the Amazon EBS works however lately I have been having the following issue while creating an environment:
The instance profile aws-elasticbeanstalk-ec2-role associated with the environment has no role. Please attach a role to the instance profile.
I follow the steps to create a new environment. When it gets to the Permissions page, I create a new role as there are no existing ones. Then I follow the rest of the steps and eventually it starts to launch. After a couple minutes, I get the error above. Any help towards this will be helpful.
To solve this issue, I created a new role from the IAM Manager console. I selected Amazon EC2 as my Service Role Type. I attached the AWSElasticBeanstalkFullAccess policy. Then when creating a new environment, I chose the new role I created.
Though I am bit late in answering this issue, posting here if someone faces this error now.
In case your user has all the required permission to create role and BS has already created the "The instance profile aws-elasticbeanstalk-ec2-role".
The reason of this error is due to roles only and when we try to launch EC2 from aws BS, it creates a role naming "aws-elasticbeanstalk-ec2-role" with required permissions.
But, if there is already a role with Trusted entities "AWS service: ec2" so BS will check permission in that already existing older role.
So go to Roles > Search ec2 related roles and select the role which is active.
And just add AWSElasticBeanstalkFullAccess permission to that ec2 role, and this issue will be resolved.
In order to run AWS monitoring scripts (http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/mon-scripts-perl.html) on one of my ec2 existing instance, I need a IAM role associated to the instance.
I found a lot of documentation to launch an instance with a role... But nothing to link a role to an existing instance.
Is it possible?
If not, what can I do? Launch a new instance with a role and transfert the volumes to it?
If not, what can I do? Launch a new instance with a role and transfert
the volumes to it?
This is one option but it might take you a long time if you have a lot instances.
The other option is to simply use IAM by creating a new user then add the Amazon CloudWatch PutMetricData operation permission to that user. Then, create AWS credentials for that user and finally use them as per the docs that you specified:
Optional: If you aren't using an IAM role, update the
awscreds.template file that you downloaded earlier. The content of
this file should use the following format:
AWSAccessKeyId=YourAccessKeyID
AWSSecretKey=YourSecretAccessKey
Also set the environment variable AWS_CREDENTIAL_FILE to point that awscreds.template in the environment of the user that is running the mon-scripts-perl
There is a new method available associate-iam-instance-profile to Associates an IAM instance profile with a running or stopped instance.
Example:
aws ec2 associate-iam-instance-profile --instance-id YourInstanceId --iam-instance-profile Name=YourNewRole-Instance-Profile
Doco
AWS doesn't allow you to modify the instance role after launching the instance.
You can either:
1) Launch a new instance with the role needed by taking the AMI of the already running instance and reassigning the EIP.
or
2) Create a headless user, generate access key and secret key for the user with specific permssion, and use those keys.
Earlier there was no solution. You had to create and AMI and launch the server again with the appropriate role.
On Feb 9, AWS launched these new CLI options which can help you solve your problem.
See this link: https://aws.amazon.com/blogs/security/new-attach-an-aws-iam-role-to-an-existing-amazon-ec2-instance-by-using-the-aws-cli/