Instantly share code, notes, and snippets.

@lazywithclass lazywithclass/blog-post.md
Created Feb 20, 2017

Embed
What would you like to do?
Download ZIP
Reference an existing IAM role from a CloudFormation template in AWS
Raw
blog-post.md

Reference an existing IAM role from a CloudFormation template in AWS

So I was looking for a way to remove keys from our servers, Amazon itself suggest that you use IAM instead, so I tried that.

How

Under Resources define

"Testing": {
  "Type": "AWS::IAM::InstanceProfile",
  "Properties": {
    "Path": "/",
    "Roles": ["my-role"]
  }
}

Testing here is just a reference to this roles declaration, it can be named whatever you want, what is important is that you bind it under Launchconfig.Properties like so

"LaunchConfig": {                                                                    
  "Properties": {
    "IamInstanceProfile": { 
      "Ref": "Testing"
    },           
    // ...
  },
  // ...
}

In this way you will have my-role policies active on the provisioned server.

I've found the relevant information buried in this piece of documentation where it talks about "Example LaunchConfig with IAM Instance Profile", have a look at the referenced template.

Why

Not having keys around is a great benefit per se, because if you start distributing them it's easy to lose track of all places you put them in.
Attaching (or removing) a new policy to a role instead is really easy to do and it works right away, from the moment you save your changes.

@ghost

This comment has been minimized.

Sign in to view
Copy link

ghost commented May 18, 2017

Thanks for the information. Really Helpfull.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment