Skip to content

Instantly share code, notes, and snippets.

@lazywithclass

lazywithclass/blog-post.md

Created Feb 20, 2017
Star
Embed
What would you like to do?
Learn more about clone URLs
Download ZIP
Reference an existing IAM role from a CloudFormation template in AWS
Raw
blog-post.md

Reference an existing IAM role from a CloudFormation template in AWS

So I was looking for a way to remove keys from our servers, Amazon itself suggest that you use IAM instead, so I tried that.

How

Under Resources define

"Testing": {
  "Type": "AWS::IAM::InstanceProfile",
  "Properties": {
    "Path": "/",
    "Roles": ["my-role"]
  }
}

Testing here is just a reference to this roles declaration, it can be named whatever you want, what is important is that you bind it under Launchconfig.Properties like so

"LaunchConfig": {                                                                    
  "Properties": {
    "IamInstanceProfile": { 
      "Ref": "Testing"
    },           
    // ...
  },
  // ...
}

In this way you will have my-role policies active on the provisioned server.

I've found the relevant information buried in this piece of documentation where it talks about "Example LaunchConfig with IAM Instance Profile", have a look at the referenced template.

Why

Not having keys around is a great benefit per se, because if you start distributing them it's easy to lose track of all places you put them in.
Attaching (or removing) a new policy to a role instead is really easy to do and it works right away, from the moment you save your changes.

@ghost

This comment has been minimized.

Sign in to view
Copy link

@ghost ghost commented May 18, 2017

Thanks for the information. Really Helpfull.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment