- Create a new CloudFormation template file and add the first Resource. This is going to be our role that contains references to the managed policies, and also our Inline Policy:
AWSTemplateFormatVersion: '2010-09-09'
Resources:
ExampleRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Action:
- sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess
- arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess
Path: /
Policies:
-
PolicyName: WriteToCloudWatchLogs
PolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: Allow
Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
- logs:DescribeLogStreams
Resource: "*"
- We now need to create an InstanceProfile resource. A profile encapsulates a single IAM role and, roughly speaking, that's all it's used for. A profile can contain only a single IAM role, so it's not clear why AWS has built this extra layer of abstraction; presumably they have plans to give profiles of other properties aside from roles:
ExampleInstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Roles:
- !Ref ExampleRole
Path: /
- For convenience, we'll add some Outputs that will provide the profile name and ARN to us after the stack is created:
Outputs:
ExampleInstanceProfile:
Value: !Ref ExampleInstanceProfile
ExampleInstanceProfileArn:
Value: !GetAtt ExampleInstanceProfile.Arn
- You can now create your instance role CloudFormation web console or via the CLI like this:
aws cloudformation create-stack \
--stack-name example-instance-profile \
--template-body file://08-creating-instance-roles.yaml \
--capabilities CAPABILITY_IAM
This role can now be assigned to your EC2 instances. The Feeding log files in to CloudWatch logs recipe in Chapter 5, Management Tools, shows how you can define a role and assign it to an EC2 instance at launch using CloudFormation.