Does AWS cfn-init need a Profile/Role for DescribeStackResource?

Question

From this page:

To use the AWS CloudFormation bootstrap features, you need to provide AWS credentials to the bootstrap scripts. We strongly recommend that you assign an IAM role to on the EC2 instance when the instance is launched.

This seems pretty straightforward, but when I look at any example from all over the place in AWS documents, they never set up roles or profiles for this. For example, here.

What am I missing? Are there scenarios that cfn-init requires extra permissions while not in others?

Answer 1

No, you no longer need to add the cloudformation:DescribeStackResource to any policies of the role associated with the instance profile in order to access CloudFormation metadata. The scripts such as cfn-get-metadata and cfn-init are authorized using a special CFN header instead of the standard AWS Authorization header. A request from the CFN scripts looks like this:

# This command succeeds regardless of your instance profile
cfn-get-metadata --region us-west-1 --stack cftest --resource LaunchConfig  --key AWS::CloudFormation::Init

GET /?Action=DescribeStackResource&StackName=cftest&Version=2010-05-15&ContentType=JSON&LogicalResourceId=LaunchConfig HTTP/1.1
Host: cloudformation.us-west-1.amazonaws.com
Connection: keep-alive
Accept: application/json
Accept-Encoding: gzip, deflate
Authorization: CFN_V1 ewogICJwcml2YXRlSX(truncated)==:b9ZM3/EnzeX(truncated)=
User-Agent: CloudFormation Tools

The CFN Authorization header is a concatenation of http://169.254.169.254/latest/dynamic/instance-identity/document and http://169.254.169.254/latest/dynamic/instance-identity/signature and only allows the instance to view the CloudFormation metadata from its own stack.

In contrast, a request that uses the instance profile looks like this:

# This command fails if you don’t have cloudformation:DescribeStackResource permission!
aws cloudformation --region us-west-1 describe-stack-resource --stack-name cftest --logical-resource-id LaunchConfig

POST / HTTP/1.1
Host: cloudformation.us-west-1.amazonaws.com
Accept-Encoding: identity
Content-Length: 95
X-Amz-Date: 20160630T010040Z
User-Agent: aws-cli/1.10.43 Python/2.7.11+ Linux/4.4.0-28-generic botocore/1.4.33
X-Amz-Security-Token: FQoDY(truncated-token)=
Content-Type: application/x-www-form-urlencoded
Authorization: AWS4-HMAC-SHA256 Credential=ASIA(truncated)/20160630/us-west-1/cloudformation/aws4_request, SignedHeaders=host;x-amz-date;x-amz-security-token, Signature=fbad7aeef75186cb18bbd44810c4d0379d7d1cf1b8a80be14ea1e3192d2ec531

Action=DescribeStackResource&StackName=cftest&Version=2010-05-15&LogicalResourceId=LaunchConfig

The instance profile temporary credentials are fetched from http://169.254.169.254/latest/meta-data/iam/security-credentials/ as described in IAM Roles for EC2.

(Note: to collect these requests, I ran nc -l 80 & and ran cfn-get-metadata --url http://localhost and aws --endpoint-url http://localhost.)

This CFNSigner functionality was added to the client between aws-cfn-bootstrap-1.1 (2012-03) and aws-cfn-bootstrap-1.3.6 (2012-09). Prior to 2012, you did need to use a role with cloudformation:DescribeStackResource permission, as described in this 2011 document Boostrapping Applications With AWS CloudFormation. Note that only the cfn-* scripts use the CFNSigner; if you want to use aws cloudformation, you need to make sure your roles allow it.