Note: This page applies to SFTP Gateway version 2.x. Visit Here for documentation on version 3.x.
In some situations, you want to grant one of your team members the ability to deploy a
CloudFormation template. But at the same time, you don't want to grant that team member
excessive permissions like
The approach here is to use a CloudFormation service role in IAM. This service role has the
permissions necessary to provision template resources, including
iam:*. Your team member has
a more restricted set of permissions, but can assume the service role when spinning up the
- Spin up the CloudFormation template at the bottom of the page.
- Add your team member to the IAM Group
- When your team member spins up the SFTP Gateway CloudFormation template, they need to
The CloudFormation template below provisions an IAM role named
This service role has all the permissions necessary for spinning up the SFTP Gateway HA
existing VPC template. (Feel free to modify these permissions as needed.)
The template below also creates an IAM group named
CloudFormationUsersGroup. This group
has the permission
iam:PassRole, which allows it to assume the
When you specify an IAM role when provisioning a CloudFormation stack, all subsequent operations on that stack will be performed using that IAM role.
It's important to note that the
CloudFormationUsersGroup permissions does not include the
ability to create IAM roles. So in this way, a restricted user is still able to deploy the SFTP Gateway
CloudFormation template for creating IAM roles
AWSTemplateFormatVersion: 2010-09-09 Resources: CloudFormationServiceRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - cloudformation.amazonaws.com Action: - sts:AssumeRole Description: CloudFormation Service Role RoleName: CloudFormationServiceRole CloudFormationServiceRolePolicy: Type: AWS::IAM::Policy Properties: PolicyName: CloudFormationServiceRolePolicy PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: # all these get provisioned by the HA existing stack - 'ec2:*' - 'logs:*' - 'iam:*' - 'elasticloadbalancing:*' - 'elasticfilesystem:*' - 'autoscaling:*' - 'events:*' Resource: '*' Roles: - Ref: CloudFormationServiceRole CloudFormationUsersGroup: Type: AWS::IAM::Group Properties: GroupName: CloudFormationUsersGroup Policies: - PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - 'iam:Get*' # needs to list IAM roles to find the service role - 'iam:List*' # needs to list IAM roles to find the service role - 'iam:PassRole' # needs to assume the service role - 'sns:List*' # CloudFormation wizard lets you notify SNS; used to get around error - 'cloudformation:*' # for all CloudFormation related tasks - 'ec2:*' # need to list VPCs, subnets, create and list the key pair - 's3:*' # CF templates are stored on S3 Resource: '*' PolicyName: CloudFormationUsersGroupPolicy