By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

CloudFormation reference the userId that is running the Template

0

My usecase consists of a user launching a cloudformation template via Service Catalog to create an ec2 instance. I would like the CFN template to create a tag key called "Owner" and assign the userid who launched the CFN to the tag value.
I use this "Owner" tag in a custom policy to provide permissions based on this condition: "Condition": { "StringEquals": { "aws:ResourceTag/Owner": "${aws:userid}" } The policy part works great, if I manually add the Owner tag to the resource, ec2 in this case. Just not sure how to automatically assign the "Owner" tag value in the cloudformation template. In case it matters, the userId I'd like to assign is an federated SSO user. Many thanks in advance.

Topics
Management & Governance
Tags
AWS CloudFormation
Language
English
AWS-User-1525293
asked 2 years ago968 views
2 Answers
0

there is no pseudo parameter for the launcher of the stack. The only way this can be achieved currently is utilising a custom resource with lambda. This blog post shows a lambda being used for a similar purpose with service catalog where is inputs the userid into dynamo, you would need to use the output of the lambda into the input for your iam policy

AWS
EXPERT
Peter_G
answered 2 years ago
0

Just saw this question because I had the same issue with Service Catalog, is sad that SC have very limited feautres, would like to be more easy get information about the user issuing the provisioning from withing the cloud formation because I was using the solution to instead deploy a resource like ec2, to run a cloudformation template using launch constraint to include the user in a group where the user would have more permissions but is not easy to do that. Service Catalog is missing a settings for quotas for example, would like to limit how many provisioned products a user can have. Automate all of this using launch constraing is not easy. About the blog post, the problem with that is, if you are using a launch constraing you will not get the user id from service catalog that started the product, you will get the service catalog principal id. The solution that comes to my mind after a lot of research. Use a lambda function to receive events from service catalog and check for events related to provisiong a product, I check and there you can have the id of the user, save the information in dynamo db. Getting information from some events you can get a information that is common on the cloudformation events, or you can use the pseu parameter stack id, compare it with the one saved from sc event api on dynamo db to check which user issued the provisioning command. Based on that you can properly tags your products, or in my case, you can use a lambda function to compute that and check if a user have a already provisioned product and cancel the operation. Is not much pratical becaus everything would be easily solved if Service Catalog have these features.

edipof
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content