AWS CloudFormation
User Guide (API Version 2010-05-15)
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Go to the Kindle Store to download this guide in Kindle format.Did this page help you?  Yes | No |  Tell us about it...

AWS::CloudFormation::Authentication

Use the AWS::CloudFormation::Authentication type to specify authentication credentials for files or sources that you specify with the AWS::CloudFormation::Init type.

To include authentication information for a file or source that you specify with AWS::CloudFormation::Init, use the uris property if the source is a URI or the buckets property if the source is an Amazon S3 bucket. For more information about files, see Files. For more information about sources, see Sources.

You can also specify authentication information for files directly in the AWS::CloudFormation::Init resource. The files key of the resource contains a property named authentication. You can use the authentication property to associate authentication information defined in an AWS::CloudFormation::Authentication resource directly with a file.

For files, AWS CloudFormation looks for authentication information in the following order:

  1. The authentication property of the AWS::CloudFormation::Init files key.

  2. The uris or buckets property of the AWS::CloudFormation::Authentication resource.

For sources, AWS CloudFormation looks for authentication information in the uris or buckets property of the AWS::CloudFormation::Authentication resource.

Syntax

Unlike most AWS CloudFormation resources, the AWS::CloudFormation::Authentication type does not contain a block called "Properties", but instead contains a list of user-named blocks, each containing its own authentication properties.

Not all properties pertain to each authentication type; see the type property for more details.

{
   "Type" : "AWS::CloudFormation::Authentication" {
      "String" : {
         "accessKeyId" : String,
         "buckets" : [ String, ... ],
         "password" : String,
         "secretKey" : String,
         "type" : String,
         "uris" : [ String, ... ],
         "username" : String,
         "roleName" : String
      },
      ...
   }
}     

Properties

accessKeyId

Specifies the access key ID for S3 authentication.

Required: Conditional Can be specified only if the type property is set to "S3".

Type: String

buckets

A comma-delimited list of Amazon S3 buckets to be associated with the S3 authentication credentials.

Required: Conditional Can be specified only if the type property is set to "S3".

Type: A list of strings

password

Specifies the password for basic authentication.

Required: Conditional Can be specified only if the type property is set to "basic".

Type: String

secretKey

Specifies the secret key for S3 authentication.

Required: Conditional Can be specified only if the type property is set to "S3".

Type: String

type

Specifies whether the authentication scheme uses a user name and password ("basic") or an access key ID and secret key ("S3").

If you specify "basic", you must also specify the username, password, and uris properties.

If you specify "S3", you must also specify the accessKeyId, secretKey, and buckets properties.

Required: Yes

Type: String Valid values are "basic" or "S3"

uris

A comma-delimited list of URIs to be associated with the basic authentication credentials. The authorization applies to the specified URIs and any more specific URI. For example, if you specify http://www.example.com, the authorization will also apply to http://www.example.com/test.

Required: Conditional Can be specified only if the type property is set to "basic".

Type: A list of strings

username

Specifies the user name for basic authentication.

Required: Conditional Can be specified only if the type property is set to "basic".

Type: String

roleName

Describes the role for role-based authentication.

Required: Conditional Can be specified only if the type property is set to "S3".

Type: String.

Examples

Example EC2 Web Server Authentication

This template snippet shows how to get a file from a private S3 bucket within an EC2 instance. The credentials used for authentication are defined in the AWS::CloudFormation::Authentication resource, and referenced by the AWS::CloudFormation::Init resource in the files section.

"WebServer": {
   "Type": "AWS::EC2::Instance",
   "DependsOn" : "BucketPolicy",
   "Metadata" : {
      "AWS::CloudFormation::Init" : {
         "config" : {
            "packages" : { "yum" : { "httpd" : [] } },
            "files" : {
               "/var/www/html/index.html" : {
                  "source" : {
                     "Fn::Join" : [
                        "", [ "http://s3.amazonaws.com/", { "Ref" : "BucketName" }, "/index.html" ]
                     ]
                  },
                  "mode"   : "000400",
                  "owner"  : "apache",
                  "group"  : "apache",
                  "authentication" : "S3AccessCreds"
               }
            },
            "services" : {
               "sysvinit" : {
                  "httpd" : { "enabled" : "true", "ensureRunning" : "true" }
               }
            }
         }
      },
      "AWS::CloudFormation::Authentication" : {
         "S3AccessCreds" : {
            "type" : "S3",
            "accessKeyId" : { "Ref" : "CfnKeys" },
            "secretKey" : { "Fn::GetAtt": [ "CfnKeys", "SecretAccessKey" ] }
         }
      }
   },
   "Properties": {
       ... EC2 Resource Properties ...
   }
}        

Example Specifying Both Basic and S3 Authentication

The following example template snippet includes both basic and S3 authentication types.

"AWS::CloudFormation::Authentication" : {
   "testBasic" : {
      "type" : "basic",
      "username" : "myuser",
      "password" : "mypassword",
      "uris" : [ "http://www.example.com/test" ]
   },
   "testS3" : {
      "type" : "S3",
      "accessKeyId" : "<Your Access Key ID>",
      "secretKey" : "<Your Secret Key>",
      "buckets" : [ "myawsbucket" ]
   }
}        

Example IAM Roles

The following example shows how to use IAM roles.

"AWS::CloudFormation::Authentication": {
    "rolebased" : {
        "type": "s3",
        "buckets": [ "myBucket" ],
        "roleName": { "Ref": "myRole" }
    }
}

The example assumes the following:

  • myRole is an AWS::IAM::Role object.

  • The Amazon EC2 instance that is running cfn-init is associated with myRole through an instance profile.

  • The example specifies the authentication by using the buckets property, like normal Amazon S3 authentication. You can also specify the authentication by name.


Full Template Examples

For full template samples that feature the AWS::CloudFormation::Authentication resource, view the following templates on the AWS CloudFormation Sample Templates web page: