💾 Archived View for cfdocs.wetterberg.nu › stacksets-prereqs-self-managed.gemini captured on 2021-12-03 at 14:04:38. Gemini links have been rewritten to link to archived content

View Raw

More Information

-=-=-=-=-=-=-

Grant self\-managed permissions

Search

To set up the required permissions for creating a *service\-managed* stack set, see Enable trusted access with AWS Organizations.

Enable trusted access with AWS Organizations

Before you create a stack set with *self\-managed* permissions, you need to establish a trust relationship between the administrator and target accounts by creating IAM roles in each account.

Set up basic permissions for stack set operations

The simplest (and most permissive) permissions configuration is where you give *all* users and groups in the administrator account the ability to create and update *all* the stack sets managed through that account. To do this, you create IAM service roles for your administrator and all target accounts. Anyone with permissions to the administrator account then has permissions to create, update, or delete any stacks in any of the target accounts.

Your administrator account and target accounts must have service roles configured that create a trust relationship between the accounts, and grant the target accounts permission to create and manage the resources described in your template.

If you structure your permissions this way, users do not pass an administrator role when creating or updating stack sets.

{P Image}

https://s3.amazonaws.com/cloudformation-stackset-sample-templates-us-east-1/AWSCloudFormationStackSetAdministrationRole.yml

Regional endpoints

Prerequisites for stack set operations

https://s3.amazonaws.com/cloudformation-stackset-sample-templates-us-east-1/AWSCloudFormationStackSetExecutionRole.yml

Set up advanced permissions options for stack set operations

If you require finer-grained control over the stack sets that users and groups are creating through a single administrator account, you can use IAM roles to specify:

Set up permissions to control target account access

Use customized administrator roles to control which users and groups can perform stack set operations in which target accounts. You might want to control which users of the administrator account can perform stack set operations in which target accounts. To do this, you create a trust relationship between each target account and a specific customized administration role, rather than creating the *AWSCloudFormationStackSetAdministrationRole* service role in the administrator account itself. You then enable specific users and groups to use the customized administration role when performing stack set operations in a specific target account.

For example, you can create Role A and Role B within your administrator account. You can give Role A permissions to access target account 1 through account 8. You can give Role B permissions to access target account 9 through account 16.

{P Image}

Setting up the necessary permissions involves defining a customized administrator role, creating a service role for the target account, and granting users permission to pass the customized administrator role when performing stack set operations.

In general, here's how it works once you have the necessary permissions in place: When creating a stack set, the user must specify a customized administrator. The user must have permission to pass the role to AWS CloudFormation. In addition, the customized administrator role must have a trust relationship with the target accounts specified for the stack set. AWS CloudFormation creates the stack set and associates the customized administrator role with it. When updating a stack set, the user must explicitly specify a customized administrator role, even if it is the same customized administrator role used with this stack set previously. AWS CloudFormation uses that role to update the stack, subject to the requirements above.

IAM service role

Regional endpoints

Prerequisites for stack set operations

Granting a user permissions to pass a role to an AWS service

Set up permissions to control stack resource inclusion

Use customized execution roles to control which stack resources users and groups can include in their stack sets. For example, you might want to set up a group that can only include Amazon S3-related resources in the stack sets they create, while another team can only include DynamoDB resources. To do this, you create a trust relationship between the customized administrator role for each group and a customized execution role for each set of resources. The customized execution role defines which stack resources can be included in stack sets. The customized administrator role resides in the administrator account, while the customized execution role resides in each target account in which you want to create stack sets using the defined resources. You then enable specific users and groups to use the customized administration role when performing stack set operations.

For example you can create customized administrator roles A, B, and C in the administrator account. Users and groups with permission to use Role A can create stack sets containing the stack resources specifically listed in customized execution role X, but not those in roles Y or Z, or resource not included in any execution role.

{P Image}

When updating a stack set, the user must explicitly specify a customized administrator role, even if it is the same customized administrator role used with this stack set previously. AWS CloudFormation performs the update using the customized administrator role specified, so long as the user has permissions to perform operations on that stack set.

Similarly, the user can also specify a customized execution role. If they specify a customized execution role, AWS CloudFormation uses that role to update the stack, subject to the requirements above. If the user does not specify a customized execution role, AWS CloudFormation performs the update using the customized execution role previously associated with the stack set, so long as the user has permissions to perform operations on that stack set.

{
  "Version": "2012-10-17",
   "Statement": [
    {
      "Sid": "Stmt1487980684000",
      "Effect": "Allow",
      "Action": [
        "sts:AssumeRole" 
      ],
      "Resource": [ 
        "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole",
        "arn:aws:iam::*:role/custom_execution_role" 
      ]
    } 
  ]
}

Set up permissions for specific stack set operations

In addition, you can set up permissions for which user and groups can perform specific stack set operations, such as creating, updating, or deleting stack sets or stack instances. For more information, see Actions, resources, and condition keys for AWS CloudFormation in the *IAM User Guide*.

Actions, resources, and condition keys for AWS CloudFormation