How to pass a role to cli command "aws cloudformation deploy" or "sam deploy"?

Question

I am creating a cloudformation stack using a SAM template and the CLI. I have successfully done this using an account that gets all the required permissions from policies directly attached to it. It's poor security practice to give this account all these permissions so I've created a role with the same policies attached and want to use that for deployment instead. However, even though I pass my role through the --role-arn parameter the command is still looking to the account for the permissions.

Here are the commands I've tried using:

aws cloudformation deploy --template-file TemplatePackaged.yaml --stack-name TestStack --capabilities CAPABILITY_IAM --region us-east-1 --role-arn arn:aws:iam::666488004797:role/LambdaApplicationCreateRole

or

sam deploy --template-file TemplatePackaged.yaml --stack-name TestStack --capabilities CAPABILITY_IAM --region us-east-1 --role-arn arn:aws:iam::666488004797:role/LambdaApplicationCreateRole

Unless the user logged into the cli has the required permissions I get the error with either command:

An error occurred (AccessDenied) when calling the DescribeStacks operation: User: arn:aws:iam::666488004797:user/DummyUser1 is not authorized to perform: cloudformation:DescribeStacks on resource: arn:aws:cloudformation:us-east-1:666488004797:stack/Melissa/*

How do I get the deploy command to use the role passed in the --role-arn parameter to get the permissions it needs?

Answer 1

After a lot of reading and trial and error I found that Manoj's answer is correct, but the tricky part is the argument that one needs to pass as xyz in his answer. Here is what I had to in order to pass a role:

I had to configure the role that I wanted to pass on the AWS CLI's config file as a profile. The parameter --profile that Manoj mentioned only works with profiles configured in this file (to the best of my knowledge). The way to configure a role as a profile is using the command:

aws configure --profile arbitraryName

What follows after profile is just a label or variable that you will use to refer to your role when you want to pass it, you can give it any name but ideally you would name it the same as the role it will hold. Running this command will prompt you for a couple of fields. As far as I know roles don't have access_key or secret_access_key so just hit enter to skip these as well as the region and output, you don't need those for your role. Next you will set fields that roles actually need by using these commands:

aws configure set profile.arbitraryName.role_arn roleArn

aws configure set profile.arbitraryName.source_profile cliProfile

The roleArn is the arn of the role you are configuring into the CLI,the cliProfile is a user already configured in the CLI that has rights to assume the role. Once this is done, whenever you want to pass the configured role in a command you just need to add --profile arbitraryName as the last parameter of your command and the command will use permissions from the role that was passed.

*Interesting to know, passing a role this way does an implicit aws sts assume-role. If you know where your .aws folder is you can go in and see a folder named cli, which contains a json file with the temporary credentials that are created when a role is assumed.

I had to do a lot of reading to figure this out, I hope this answer will save someone else some time.

Answer 2

there could be multiple approaches.

1. Assume the role and use profile for deploying aws cloudformation

   aws cloudformation deploy --template-file TemplatePackaged.yaml --stack-name TestStack --profile xyz
   

2. Launch an EC2 instance with an instance profile which is having access to cloudformation, you don't have to explicitly specify role arn or profile details

   aws cloudformation deploy --template-file TemplatePackaged.yaml --stack-name TestStack