stackoom
  简体   繁体   中英

AWS CloudFormation - Attach existing managed policy to existing role through a template

 原文  2020-11-06 21:06:04       amazon-web-services/ amazon-cloudformation/ amazon-iam

Question

I am deploying a CloudFormation template to AWS. A role for my Lambda invocation is being created by a template that I am importing, and I cannot modify it directly. I wish to modify that role to attach the AWS managed policy AWSLambdaVPCAccessExecutionRole that already exists in my AWS account. So far, all of my searches have come up empty.

  1. I have found instructions for how to create a new role with an existing managed policy
  2. I have found instructions for how to create a new policy and attach it to an existing role.
  3. I have found instructions for how to Update a Stack using the AWS console or the CLI, but not via a template (YAML or JSON)
  4. I have found instructions for calling something called aws_iam_role_policy_attachment in something called Terraform, but that is not available to me

I am hoping for something like the following but I cannot find any evidence of this existing anywhere. Is there anything that can do what I am trying to do?

---
Resources:
  AdditionalRolePermissions:
    Type: "AWS::IAM::RolePolicyAttachment"
    Properties:
      Roles:
        - Ref: ExistingRole
      PolicyName:
        - Ref: ExistingPolicy

The best solution I have come up with so far is to create a new policy that has a manually created PolicyDocument that is the same as the existing one for AWSLambdaVPCAccessExecutionRole and attach it to the role upon creation. I would prefer not to do that though because it will be harder to maintain.

2 answers

solution1
 1 ACCPTED  2020-11-06 21:33:50

Unfortunately, you can not do this in pure CloudFormation unless you create a custom resource but this isn't really pure CloudFormation at that point as you'd need to create a lambda and other resources to implement the custom resource. There is no concept of a policy attachment in CloudFormation presently and these attachments only happen when you define a policy or role resource.

The simplest thing would be to go with your solution of creating a policy that duplicates AWSLambdaVPCAccessExecutionRole . That policy is fairly simple and shouldn't clutter up your CloudFormation template too much compared to some other complicated policies.

solution2
 0  2021-11-08 02:27:57

It is possible as of 2021. Please see: https://aws.amazon.com/premiumsupport/knowledge-center/cloudformation-attach-managed-policy/

Example:

AWSTemplateFormatVersion: '2010-09-09'
Description: something cool
Resources:
  IAM:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - lambda.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      RoleName: some_role_name
      Policies:
        ['arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole']

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Cloudformation template to attach existing policy to existing IAM role How to attach an AWS managed policy to a role in cloudformation and troposphere Update an existing role's iam policy through cloudformation Using Existing Role in CloudFormation Template AWS Cloudformation:Template validation error Role and policy Attach an existing role to AWS Lambda with AWS CDK AWS Api Gateway attach existing policy The proper AWS managed policy to attach an IAM Role to execute Lambda Functions attach a role to an existing EC2 instance, using cloudFormation Export existing AWS CloudWatch alarms to CloudFormation template
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM