Create an IAM role to allow for the deployment of CloudFormation templates

[ShahradR]

Create an IAM role for AWS CodePipeline to assume when creating resources defined in CloudFormation templates.

For this specific use case, the AWS CodePipeline pipeline is hardcoded to deploy the CloudFormation template created in the ShahradR/sc-s3-portfolio repository. The project's CloudFormation templates create AWS resources of the following types:

• AWS::ServiceCatalog::Portfolio
• AWS::ServiceCatalog::LaunchRoleConstraint
• AWS::ServiceCatalog::PortfolioProductAssociation
• AWS::IAM::Role
• AWS::ServiceCatalog::CloudFormationProduct
• AWS::S3::Bucket
• AWS::S3::BucketPolicy

The IAM role assumed by CodePipline in the Release action should support the creation of all those resources.

[ShahradR]

As a test, the CodePipeline role was granted an administrative role. Once the resourced defined by the CloudFormation stack have been deployed, we can pull the CloudTrail logs and see which API calls were made during the creation process. The IAM role assumed by the pipeline will need the same roles to deploy the stack.

User name	Event time	Event source	Event name	AWS region	Source IP address	User agent	Error code	Resources	Read-only	Event type	Event category
AWSCloudFormation	2020-12-28T18:17:43Z	servicecatalog.amazonaws.com	AssociateProductWithPortfolio	ca-central-1	cloudformation.amazonaws.com	cloudformation.amazonaws.com		[]	FALSE	AwsApiCall	Management
AWSCloudFormation	2020-12-28T18:17:43Z	servicecatalog.amazonaws.com	CreateConstraint	ca-central-1	cloudformation.amazonaws.com	cloudformation.amazonaws.com		[]	FALSE	AwsApiCall	Management
AWSCloudFormation	2020-12-28T18:17:25Z	servicecatalog.amazonaws.com	CreateProduct	ca-central-1	cloudformation.amazonaws.com	cloudformation.amazonaws.com		[]	FALSE	AwsApiCall	Management
AWSCloudFormation	2020-12-28T18:17:23Z	iam.amazonaws.com	AttachRolePolicy	us-east-1	cloudformation.amazonaws.com	cloudformation.amazonaws.com		[{"resourceType":"AWS::IAM::Policy","resourceName":"arn:aws:iam::aws:policy/AmazonS3FullAccess"},{"resourceType":"AWS::IAM::Role","resourceName":"SCS3LaunchRole"}]	FALSE	AwsApiCall	Management
AWSCloudFormation	2020-12-28T18:17:23Z	iam.amazonaws.com	PutRolePolicy	us-east-1	cloudformation.amazonaws.com	cloudformation.amazonaws.com		[{"resourceType":"AWS::IAM::Policy","resourceName":"SCLaunchPolicy"},{"resourceType":"AWS::IAM::Role","resourceName":"SCS3LaunchRole"}]	FALSE	AwsApiCall	Management
AWSCloudFormation	2020-12-28T18:17:22Z	iam.amazonaws.com	CreateRole	us-east-1	cloudformation.amazonaws.com	cloudformation.amazonaws.com		[{"resourceType":"AWS::IAM::Role","resourceName":"SCS3LaunchRole"},{"resourceType":"AWS::IAM::Role","resourceName":"arn:aws:iam::***:role/SCS3LaunchRole"},{"resourceType":"AWS::IAM::Role","resourceName":"***"}]	FALSE	AwsApiCall	Management
AWSCloudFormation	2020-12-28T18:17:20Z	servicecatalog.amazonaws.com	CreatePortfolio	ca-central-1	cloudformation.amazonaws.com	cloudformation.amazonaws.com		[]	FALSE	AwsApiCall	Management

[ShahradR]

Additional IAM roles also need to be added when deleting the CloudFormation stack. From the CloudTrail logs, these are the API calls triggered when deleting the stack.	User name	Event time	Event source	Event name	AWS region	Source IP address	User agent	Error code	Resources
AWSCloudFormation	2020-12-29T03:54:55Z	servicecatalog.amazonaws.com	DeleteProduct	ca-central-1	cloudformation.amazonaws.com	cloudformation.amazonaws.com		[]
AWSCloudFormation	2020-12-29T03:54:54Z	iam.amazonaws.com	DetachRolePolicy	us-east-1	cloudformation.amazonaws.com	cloudformation.amazonaws.com		[{"resourceType":"AWS::IAM::Policy","resourceName":"arn:aws:iam::aws:policy/AmazonS3FullAccess"},{"resourceType":"AWS::IAM::Role","resourceName":"SCS3LaunchRole"}]
AWSCloudFormation	2020-12-29T03:54:54Z	iam.amazonaws.com	DeleteRole	us-east-1	cloudformation.amazonaws.com	cloudformation.amazonaws.com		[{"resourceType":"AWS::IAM::Role","resourceName":"SCS3LaunchRole"}]
AWSCloudFormation	2020-12-29T03:54:54Z	iam.amazonaws.com	DeleteRolePolicy	us-east-1	cloudformation.amazonaws.com	cloudformation.amazonaws.com		[{"resourceType":"AWS::IAM::Policy","resourceName":"SCLaunchPolicy"},{"resourceType":"AWS::IAM::Role","resourceName":"SCS3LaunchRole"}]
AWSCloudFormation	2020-12-29T03:54:53Z	servicecatalog.amazonaws.com	DeletePortfolio	ca-central-1	cloudformation.amazonaws.com	cloudformation.amazonaws.com		[]
AWSCloudFormation	2020-12-29T03:54:51Z	servicecatalog.amazonaws.com	DisassociateProductFromPortfolio	ca-central-1	cloudformation.amazonaws.com	cloudformation.amazonaws.com		[]
AWSCloudFormation	2020-12-29T03:54:51Z	servicecatalog.amazonaws.com	DeleteConstraint	ca-central-1	cloudformation.amazonaws.com	cloudformation.amazonaws.com	ResourceNotFoundException	[]

[ShahradR]

In addition to the permissions identified in the CloudTrail logs, the Release action role additionally requires the iam:GetRole and iam:CreateRole permissions against the SCS3LaunchRole role, as shown in the CloudFormation logs below.

[ShahradR]

In addition to the permissions listed above, the Release action role additionally requires the iam:GetRolePolicy permission, as shown in the CloudFormation logs below.

[ShahradR]

By removing the "ReadOnly" filter in the CloudTrail logs, we can reveal additional logs, detailing API calls which were only querying information.

https://user-images.githubusercontent.com/5815058/103463548-2b2ffe80-4cfb-11eb-8552-cf0fadf3558d.mp4

Comparing the logs generated when creating the S3 product with our IAM role versus an IAM role with the administrative policy attached, we see that the invalid parameters error is caused by a failed CloudFormation ValidateTemplate API call. Adding the cloudformation:ValidateTemplate permission to our role resolves the InvalidParametersException thrown by Service Catalog.

CloudTrail logs for a failed Service Catalog product deployment

User name	Event time	Event source	Event name	AWS region	Source IP address	User agent	Error code	Resources	Read-only
AWSCloudFormation	2021-01-02T02:19:51Z	cloudformation.amazonaws.com	ValidateTemplate	ca-central-1	cloudformation.amazonaws.com	cloudformation.amazonaws.com	AccessDenied	[]	TRUE
AWSCloudFormation	2021-01-02T02:19:51Z	servicecatalog.amazonaws.com	CreateProduct	ca-central-1	cloudformation.amazonaws.com	cloudformation.amazonaws.com	InvalidParametersException	[]	FALSE

CloudTrail logs for a successful Service Catalog product deployment using an administrative policy

User name	Event time	Event source	Event name	AWS region	Source IP address	User agent	Error code	Resources	Read-only
AWSCloudFormation	2021-01-02T15:50:14Z	servicecatalog.amazonaws.com	CreateProduct	ca-central-1	cloudformation.amazonaws.com	cloudformation.amazonaws.com		[]	FALSE
AWSCloudFormation	2021-01-02T15:50:13Z	cloudformation.amazonaws.com	ValidateTemplate	ca-central-1	cloudformation.amazonaws.com	cloudformation.amazonaws.com		[]	TRUE

[ShahradR]

In addition to the permissions listed above, the Release action role additionally requires the servicecatalog:DescribeProductAsAdmin permission, as shown in the CloudFormation logs below.

[ShahradR]

In addition to the permissions listed above, the Release action role additionally requires the iam:PassRole permission, as shown in the CloudFormation logs below.