Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
Reference an existing IAM role from a CloudFormation template in AWS

Reference an existing IAM role from a CloudFormation template in AWS

So I was looking for a way to remove keys from our servers, Amazon itself suggest that you use IAM instead, so I tried that.

How

Under Resources define

"Testing": {
  "Type": "AWS::IAM::InstanceProfile",
  "Properties": {
    "Path": "/",
    "Roles": ["my-role"]
  }
}

Testing here is just a reference to this roles declaration, it can be named whatever you want, what is important is that you bind it under Launchconfig.Properties like so

"LaunchConfig": {                                                                    
  "Properties": {
    "IamInstanceProfile": { 
      "Ref": "Testing"
    },           
    // ...
  },
  // ...
}

In this way you will have my-role policies active on the provisioned server.

I've found the relevant information buried in this piece of documentation where it talks about "Example LaunchConfig with IAM Instance Profile", have a look at the referenced template.

Why

Not having keys around is a great benefit per se, because if you start distributing them it's easy to lose track of all places you put them in.
Attaching (or removing) a new policy to a role instead is really easy to do and it works right away, from the moment you save your changes.

@ghost

ghost commented May 18, 2017

Thanks for the information. Really Helpfull.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment