💾 Archived View for cfdocs.wetterberg.nu › aws-resource-authentication.gemini captured on 2024-08-25 at 01:51:48. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2021-12-03)
-=-=-=-=-=-=-
Use the `AWS::CloudFormation::Authentication` resource to specify authentication credentials for files or sources that you specify with the AWS::CloudFormation::Init resource.
To include authentication information for a file or source that you specify with `AWS::CloudFormation::Init`, use the `uris` property if the source is a URI or the `buckets` property if the source is an Amazon S3 bucket. For more information about files, see Files. For more information about sources, see Sources.
You can also specify authentication information for files directly in the `AWS::CloudFormation::Init` resource. The files key of the resource contains a property named `authentication`. You can use the `authentication` property to associate authentication information defined in an `AWS::CloudFormation::Authentication` resource directly with a file.
For files, AWS CloudFormation looks for authentication information in the following order:
For sources, AWS CloudFormation looks for authentication information in the `uris` or `buckets` property of the `AWS::CloudFormation::Authentication` resource.
To declare this entity in your AWS CloudFormation template, use the following syntax:
You should be aware of the following considerations when using the `AWS::CloudFormation::Authentication` type:
{
"Type" : "AWS::CloudFormation::Authentication" {
"String" : {
"accessKeyId" : String,
"buckets" : [ String, ... ],
"password" : String,
"secretKey" : String,
"type" : String,
"uris" : [ String, ... ],
"username" : String,
"roleName" : String
}
}
}
Type: AWS::CloudFormation::Authentication
String:
accessKeyId: String
buckets:
- String
password: String
secretKey: String
type: String
uris:
- String
username: String
roleName: String
`accessKeyId`
Specifies the access key ID for S3 authentication.
`buckets`
A comma-delimited list of Amazon S3 buckets to be associated with the S3 authentication credentials.
`password`
Specifies the password for basic authentication.
`secretKey`
Specifies the secret key for S3 authentication.
`type`
Specifies whether the authentication scheme uses a user name and password ("basic") or an access key ID and secret key ("S3").
If you specify `"basic"`, specify the `username`, `password`, and `uris` properties.
If you specify `"S3"`, specify the `accessKeyId`, `secretKey`, and `buckets` (optional) properties.
`uris`
A comma-delimited list of URIs to be associated with the basic authentication credentials. The authorization applies to the specified URIs and any more specific URI. For example, if you specify `http://www.example.com`, the authorization will also apply to `http://www.example.com/test`.
`username`
Specifies the user name for basic authentication.
`roleName`
Describes the role for role-based authentication.
This role must be contained within the instance profile that is attached to the EC2 instance. An instance profile can only contain one IAM role.
Unlike most resources, the `AWS::CloudFormation::Authentication` type defines a list of user-named blocks, each of which contains authentication properties that use lower camel case naming.
This template snippet shows how to get a file from a private S3 bucket within an EC2 instance. The credentials used for authentication are defined in the `AWS::CloudFormation::Authentication` resource, and referenced by the `AWS::CloudFormation::Init` resource in the *files* section.
"WebServer": {
"Type": "AWS::EC2::Instance",
"DependsOn" : "BucketPolicy",
"Metadata" : {
"AWS::CloudFormation::Init" : {
"config" : {
"packages" : { "yum" : { "httpd" : [] } },
"files" : {
"/var/www/html/index.html" : {
"source" : {
"Fn::Join" : [
"", [ "http://s3.amazonaws.com/", { "Ref" : "BucketName" }, "/index.html" ]
]
},
"mode" : "000400",
"owner" : "apache",
"group" : "apache",
"authentication" : "S3AccessCreds"
}
},
"services" : {
"sysvinit" : {
"httpd" : { "enabled" : "true", "ensureRunning" : "true" }
}
}
}
},
"AWS::CloudFormation::Authentication" : {
"S3AccessCreds" : {
"type" : "S3",
"accessKeyId" : { "Ref" : "CfnKeys" },
"secretKey" : { "Fn::GetAtt": [ "CfnKeys", "SecretAccessKey" ] }
}
}
},
"Properties": {
EC2 Resource Properties ...
}
}
WebServer:
Type: AWS::EC2::Instance
DependsOn: "BucketPolicy"
Metadata:
AWS::CloudFormation::Init:
config:
packages:
yum:
httpd: []
files:
/var/www/html/index.html:
source:
Fn::Join:
- ""
-
- "http://s3.amazonaws.com/"
- Ref: "BucketName"
- "/index.html"
mode: "000400"
owner: "apache"
group: "apache"
authentication: "S3AccessCreds"
services:
sysvinit:
httpd:
enabled: "true"
ensureRunning: "true"
AWS::CloudFormation::Authentication:
S3AccessCreds:
type: "S3"
accessKeyId:
Ref: "CfnKeys"
secretKey:
Fn::GetAtt:
- "CfnKeys"
- "SecretAccessKey"
Properties:
EC2 Resource Properties ...
The following example template snippet includes both *basic* and *S3* authentication types.
"AWS::CloudFormation::Authentication" : {
"testBasic" : {
"type" : "basic",
"username" : { "Ref" : "UserName" },
"password" : { "Ref" : "Password" },
"uris" : [ "example.com/test" ]
},
"testS3" : {
"type" : "S3",
"accessKeyId" : { "Ref" : "AccessKeyID" },
"secretKey" : { "Ref" : "SecretAccessKeyID" },
"buckets" : [ "DOC-EXAMPLE-BUCKET1" ]
}
}
AWS::CloudFormation::Authentication:
testBasic:
type: "basic"
username:
Ref: "UserName"
password:
Ref: "Password"
uris:
- "example.com/test"
testS3:
type: "S3"
accessKeyId:
Ref: "AccessKeyID"
secretKey:
Ref: "SecretAccessKeyID"
buckets:
- "myawsbucket"
The following example shows how to use IAM roles:
"AWS::CloudFormation::Authentication": {
"rolebased" : {
"type": "S3",
"buckets": [ "myBucket" ],
"roleName": { "Ref": "myRole" }
}
}
AWS::CloudFormation::Authentication:
rolebased:
type: "S3"
buckets:
- "myBucket"
roleName:
Ref: "myRole"