Reference an existing IAM role from a CloudFormation template in AWS
So I was looking for a way to remove keys from our servers, Amazon itself suggest that you use IAM instead, so I tried that.
How
Under Resources
define
"Testing": {
"Type": "AWS::IAM::InstanceProfile",
"Properties": {
"Path": "/",
"Roles": ["my-role"]
}
}
Testing
here is just a reference to this roles declaration, it can be named whatever you want, what is important is that you bind it under Launchconfig.Properties
like so
"LaunchConfig": {
"Properties": {
"IamInstanceProfile": {
"Ref": "Testing"
},
// ...
},
// ...
}
In this way you will have my-role
policies active on the provisioned server.
I've found the relevant information buried in this piece of documentation where it talks about "Example LaunchConfig with IAM Instance Profile", have a look at the referenced template.
Why
Not having keys around is a great benefit per se, because if you start distributing them it's easy to lose track of all places you put them in.
Attaching (or removing) a new policy to a role instead is really easy to do and it works right away, from the moment you save your changes.
This comment has been minimized.
ghost commentedMay 18, 2017
Thanks for the information. Really Helpfull.