Create an IAM Role for CloudFormation
When using CloudFormation to manage resources in AWS, CloudFormation must use an IAM role that has permission to modify each resource defined in the CloudFormation stack. This can either be the user’s role in AWS, or a specified role created for the stack. In this article we’ll see how to easily create a specific role for CloudFormation using AWS CLI.
Why A Specific IAM Role for CloudFormation
While it is possible for CloudFormation to use the users IAM role to update resources in a stack, best security practices dictate that a specific role should be created for each CloudFormation stack. With these specific roles we can limit the scope of updates allowed to only resources defined in our stack. Additionally, using a role instead of a user’s IAM allows for greater extendability as our CloudFormation stacks grow. We do not want to rely on a single users IAM role to manage multiple stacks.
IAM Trusted Entity
To create our IAM role for CloudFormation to use, first we must define a trusted entity for the role. A trusted entity allows a service to use this IAM role. For CloudFormation this is what our trusted entity looks like:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "cloudformation.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Save this in a file named trusted-entity.json to use with our CLI command later.
IAM Permissions
Now we can define our permissions that our CloudFormation stack needs. Note, each CloudFormation permission requirements will be different, depending on the resources. For this example, my stack needs to be able to manage Lambda functions, CloudFormation Stacks, and S3. A more granular security approach would be to limit only the exact resources and not use wildcards, but for simplicity I’m using broader reaching security practices. Modify these permissions to match your needs:
{
"Statement": [
{
"Action": [
"lambda:*",
"cloudformation:*",
"s3:*"
],
"Resource": "*",
"Effect": "Allow"
}
],
"Version": "2012-10-17"
}
Save this in a file called user-policy.json to use with the AWS CLI later.
Create IAM Role
First we’ll create our role with the AWS CLI using our trusted entity document. Then attach our user permissions.
To create a new role named HelloWorldCloudFormationRole run the following AWS CLI command:
aws iam create-role --role-name HelloWorldCloudFormationRole --assume-role-policy-document file://trusted-entity.json
A successful call will return a JSON document describing your new role.
Attach Permissions
With our newly created role we can now attach our permission policy. I’ve called this policy HelloWorldCloudFormationPolicy:
aws iam put-role-policy --role-name HelloWorldCloudFormationRole --policy-name HelloWorldCloudFormationPolicy --policy-document file://user-policy.json
A successful call will be an empty response.
Conclusion
You should now be able to easily create CloudFormation IAM roles with the AWS CLI to allow your CloudFormation stacks to update resources in a secure manner. Additionally, by saving out the trusted entity and user policy documents, this process should be easily repeated for each new stack and role need in your AWS account. Questions or comments about this process? Drop a line in the comments below.