💾 Archived View for cfdocs.wetterberg.nu › aws-resource-authentication.gemini captured on 2024-05-10 at 12:43:56. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2021-12-03)

-=-=-=-=-=-=-

AWS::CloudFormation::Authentication

Search

Use the `AWS::CloudFormation::Authentication` resource to specify authentication credentials for files or sources that you specify with the AWS::CloudFormation::Init resource.

AWS::CloudFormation::Init

To include authentication information for a file or source that you specify with `AWS::CloudFormation::Init`, use the `uris` property if the source is a URI or the `buckets` property if the source is an Amazon S3 bucket. For more information about files, see Files. For more information about sources, see Sources.

Files

Sources

You can also specify authentication information for files directly in the `AWS::CloudFormation::Init` resource. The files key of the resource contains a property named `authentication`. You can use the `authentication` property to associate authentication information defined in an `AWS::CloudFormation::Authentication` resource directly with a file.

For files, AWS CloudFormation looks for authentication information in the following order:

For sources, AWS CloudFormation looks for authentication information in the `uris` or `buckets` property of the `AWS::CloudFormation::Authentication` resource.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

You should be aware of the following considerations when using the `AWS::CloudFormation::Authentication` type:

JSON

{
  "Type" : "AWS::CloudFormation::Authentication" {
    "String" : {
      "accessKeyId" : String,
      "buckets" : [ String, ... ],
      "password" : String,
      "secretKey" : String,
      "type" : String,
      "uris" : [ String, ... ],
      "username" : String,
      "roleName" : String
    }
  }
}

YAML

Type: AWS::CloudFormation::Authentication
String:
  accessKeyId: String
  buckets:
    - String
  password: String
  secretKey: String
  type: String
  uris:
    - String
  username: String
  roleName: String

Properties

`accessKeyId`

Specifies the access key ID for S3 authentication.

`buckets`

A comma-delimited list of Amazon S3 buckets to be associated with the S3 authentication credentials.

`password`

Specifies the password for basic authentication.

`secretKey`

Specifies the secret key for S3 authentication.

`type`

Specifies whether the authentication scheme uses a user name and password ("basic") or an access key ID and secret key ("S3").

If you specify `"basic"`, specify the `username`, `password`, and `uris` properties.

If you specify `"S3"`, specify the `accessKeyId`, `secretKey`, and `buckets` (optional) properties.

`uris`

A comma-delimited list of URIs to be associated with the basic authentication credentials. The authorization applies to the specified URIs and any more specific URI. For example, if you specify `http://www.example.com`, the authorization will also apply to `http://www.example.com/test`.

`username`

Specifies the user name for basic authentication.

`roleName`

Describes the role for role-based authentication.

This role must be contained within the instance profile that is attached to the EC2 instance. An instance profile can only contain one IAM role.

Examples

Unlike most resources, the `AWS::CloudFormation::Authentication` type defines a list of user-named blocks, each of which contains authentication properties that use lower camel case naming.

EC2 web server authentication

This template snippet shows how to get a file from a private S3 bucket within an EC2 instance. The credentials used for authentication are defined in the `AWS::CloudFormation::Authentication` resource, and referenced by the `AWS::CloudFormation::Init` resource in the *files* section.

JSON

"WebServer": {
   "Type": "AWS::EC2::Instance",
   "DependsOn" : "BucketPolicy",
   "Metadata" : {
      "AWS::CloudFormation::Init" : {
         "config" : {
            "packages" : { "yum" : { "httpd" : [] } },
            "files" : {
               "/var/www/html/index.html" : {
                  "source" : {
                     "Fn::Join" : [
                        "", [ "http://s3.amazonaws.com/", { "Ref" : "BucketName" }, "/index.html" ]
                     ]
                  },
                  "mode"   : "000400",
                  "owner"  : "apache",
                  "group"  : "apache",
                  "authentication" : "S3AccessCreds"
               }
            },
            "services" : {
               "sysvinit" : {
                  "httpd" : { "enabled" : "true", "ensureRunning" : "true" }
               }
            }
         }
      },
      "AWS::CloudFormation::Authentication" : {
         "S3AccessCreds" : {
            "type" : "S3",
            "accessKeyId" : { "Ref" : "CfnKeys" },
            "secretKey" : { "Fn::GetAtt": [ "CfnKeys", "SecretAccessKey" ] }
         }
      }
   },
   "Properties": {
      EC2 Resource Properties ...
   }
}

YAML

WebServer: 
  Type: AWS::EC2::Instance
  DependsOn: "BucketPolicy"
  Metadata: 
    AWS::CloudFormation::Init: 
      config: 
        packages: 
          yum: 
            httpd: []
        files: 
          /var/www/html/index.html: 
            source: 
              Fn::Join: 
                - ""
                - 
                  - "http://s3.amazonaws.com/"
                  - Ref: "BucketName"
                  - "/index.html"
            mode: "000400"
            owner: "apache"
            group: "apache"
            authentication: "S3AccessCreds"
        services: 
          sysvinit: 
            httpd: 
              enabled: "true"
              ensureRunning: "true"
    AWS::CloudFormation::Authentication: 
      S3AccessCreds: 
        type: "S3"
        accessKeyId: 
          Ref: "CfnKeys"
        secretKey: 
          Fn::GetAtt: 
            - "CfnKeys"
            - "SecretAccessKey"
Properties: 
  EC2 Resource Properties ...

Specifying both basic and S3 authentication

The following example template snippet includes both *basic* and *S3* authentication types.

JSON

"AWS::CloudFormation::Authentication" : {
   "testBasic" : {
      "type" : "basic",
      "username" : { "Ref" : "UserName" },
      "password" : { "Ref" : "Password" },
      "uris" : [ "example.com/test" ]
   },
   "testS3" : {
      "type" : "S3",
      "accessKeyId" : { "Ref" : "AccessKeyID" },
      "secretKey" : { "Ref" : "SecretAccessKeyID" },
      "buckets" : [ "DOC-EXAMPLE-BUCKET1" ]
   }
}

YAML

AWS::CloudFormation::Authentication: 
  testBasic: 
    type: "basic"
    username: 
      Ref: "UserName"
    password: 
      Ref: "Password"
    uris: 
      - "example.com/test"
  testS3: 
    type: "S3"
    accessKeyId: 
      Ref: "AccessKeyID"
    secretKey: 
      Ref: "SecretAccessKeyID"
    buckets: 
      - "myawsbucket"

IAM roles

The following example shows how to use IAM roles:

AWS::IAM::Role

JSON

"AWS::CloudFormation::Authentication": {
    "rolebased" : {
        "type": "S3",
        "buckets": [ "myBucket" ],
        "roleName": { "Ref": "myRole" }
    }
}

YAML

AWS::CloudFormation::Authentication: 
  rolebased: 
    type: "S3"
    buckets: 
      - "myBucket"
    roleName: 
      Ref: "myRole"