`AWS::CloudFormation::Authentication`

Use the AWS::CloudFormation::Authentication resource to specify authentication credentials for files or sources that you specify with the AWS::CloudFormation::Init resource.

To include authentication information for a file or source that you specify with AWS::CloudFormation::Init, use the uris property if the source is a URI or the buckets property if the source is an Amazon S3 bucket. For more information about files, see Files. For more information about sources, see Sources.

You can also specify authentication information for files directly in the AWS::CloudFormation::Init resource. The files key of the resource contains a property named authentication. You can use the authentication property to associate authentication information defined in an AWS::CloudFormation::Authentication resource directly with a file.

For files, AWS CloudFormation looks for authentication information in the following order:

The authentication property of the AWS::CloudFormation::Init files key.
The uris or buckets property of the AWS::CloudFormation::Authentication resource.

For sources, CloudFormation looks for authentication information in the uris or buckets property of the AWS::CloudFormation::Authentication resource.

Syntax

To declare this entity in your CloudFormation template, use the following syntax:

You should be aware of the following considerations when using the AWS::CloudFormation::Authentication type:

Unlike most CloudFormation resources, the AWS::CloudFormation::Authentication type doesn't contain a block called Properties, but instead contains a list of user-named blocks, each containing its own authentication properties.

Not all properties pertain to each authentication type; see the type property for more details.
Unlike most CloudFormation resources, property names use lower camel case.

JSON


{
  "Type" : "AWS::CloudFormation::Authentication" {
    "String" : {
      "accessKeyId" : String,
      "buckets" : [ String, ... ],
      "password" : String,
      "secretKey" : String,
      "type" : String,
      "uris" : [ String, ... ],
      "username" : String,
      "roleName" : String
    }
  }
}

YAML


Type: AWS::CloudFormation::Authentication
String:
  accessKeyId: String
  buckets:
    - String
  password: String
  secretKey: String
  type: String
  uris:
    - String
  username: String
  roleName: String

Properties

accessKeyId

Specifies the access key ID for S3 authentication.

Required: Conditional. Can be specified only if the type property is set to S3.

Type: String

buckets

A comma-delimited list of Amazon S3 buckets to be associated with the S3 authentication credentials.

Required: Conditional. Can be specified only if the type property is set to S3.

Type: List of String values

password

Specifies the password for basic authentication.

Required: Conditional. Can be specified only if the type property is set to basic.

Type: String

secretKey

Specifies the secret key for S3 authentication.

Required: Conditional. Can be specified only if the type property is set to S3.

Type: String

type

Specifies whether the authentication scheme uses a user name and password (basic) or an access key ID and secret key (S3).

If you specify basic, specify the username, password, and uris properties.

If you specify S3, specify the accessKeyId, secretKey, and buckets (optional) properties.

Required: Yes

Valid values: basic | S3

uris

A comma-delimited list of URIs to be associated with the basic authentication credentials. The authorization applies to the specified URIs and any more specific URI. For example, if you specify http://www.example.com, the authorization will also apply to http://www.example.com/test.

Required: Conditional. Can be specified only if the type property is set to basic.

Type: List of String values

username

Specifies the user name for basic authentication.

Required: Conditional. Can be specified only if the type property is set to basic.

Type: String

roleName

Describes the role for role-based authentication.

Important

This role must be contained within the instance profile that's attached to the EC2 instance. An instance profile can only contain one IAM role.

Required: Conditional. Can be specified only if the type property is set to S3.

Type: String.

Examples

Note

Unlike most resources, the AWS::CloudFormation::Authentication type defines a list of user-named blocks, each of which contains authentication properties that use lower camel case naming.

Topics

EC2 web server authentication
Specifying both basic and S3 authentication
IAM roles

EC2 web server authentication

This template snippet shows how to get a file from a private S3 bucket within an EC2 instance. The credentials used for authentication are defined in the AWS::CloudFormation::Authentication resource, and referenced by the AWS::CloudFormation::Init resource in the files section.

JSON


"WebServer": {
   "Type": "AWS::EC2::Instance",
   "DependsOn" : "BucketPolicy",
   "Metadata" : {
      "AWS::CloudFormation::Init" : {
         "config" : {
            "packages" : { "yum" : { "httpd" : [] } },
            "files" : {
               "/var/www/html/index.html" : {
                  "source" : {
                     "Fn::Join" : [
                        "", [ "http://s3.amazonaws.com/", { "Ref" : "BucketName" }, "/index.html" ]
                     ]
                  },
                  "mode"   : "000400",
                  "owner"  : "apache",
                  "group"  : "apache",
                  "authentication" : "S3AccessCreds"
               }
            },
            "services" : {
               "sysvinit" : {
                  "httpd" : { "enabled" : "true", "ensureRunning" : "true" }
               }
            }
         }
      },
      "AWS::CloudFormation::Authentication" : {
         "S3AccessCreds" : {
            "type" : "S3",
            "accessKeyId" : { "Ref" : "AccessKeyID" },
            "secretKey" : { "Ref" : "SecretAccessKey" }
         }
      }
   },
   "Properties": {
   EC2 Resource Properties ...
   }
}

YAML


WebServer: 
  Type: AWS::EC2::Instance
  DependsOn: BucketPolicy
  Metadata: 
    AWS::CloudFormation::Init: 
      config: 
        packages: 
          yum: 
            httpd: []
        files: 
          /var/www/html/index.html: 
            source: !Join
              - ''
              - - 'http://s3.amazonaws.com/'
                - !Ref BucketName
                - '/index.html'
            mode: '000400'
            owner: apache
            group: apache
            authentication: S3AccessCreds
        services: 
          sysvinit: 
            httpd: 
              enabled: 'true'
              ensureRunning: 'true'
    AWS::CloudFormation::Authentication: 
      S3AccessCreds: 
        type: S3
        accessKeyId: !Ref AccessKeyID
        secretKey: !Ref SecretAccessKey
  Properties: 
  EC2 Resource Properties ...

Specifying both basic and S3 authentication

The following example template snippet includes both basic and S3 authentication types.

JSON


"AWS::CloudFormation::Authentication" : {
   "testBasic" : {
      "type" : "basic",
      "username" : { "Ref" : "UserName" },
      "password" : { "Ref" : "Password" },
      "uris" : [ "example.com/test" ]
   },
   "testS3" : {
      "type" : "S3",
      "accessKeyId" : { "Ref" : "AccessKeyID" },
      "secretKey" : { "Ref" : "SecretAccessKey" },
      "buckets" : [{ "Fn::Sub": "${BucketName}" }]
   }
}

YAML


AWS::CloudFormation::Authentication: 
  testBasic: 
    type: basic
    username: !Ref UserName
    password: !Ref Password
    uris: 
      - 'example.com/test'
  testS3: 
    type: S3
    accessKeyId: !Ref AccessKeyID
    secretKey: !Ref SecretAccessKey
    buckets: 
      - !Sub ${BucketName}

IAM roles

The following example shows how to use IAM roles:

myRole is an AWS::IAM::Role resource.
The Amazon EC2 instance that runs cfn-init is associated with myRole through an instance profile.
The example specifies the authentication by using the buckets property, like in Amazon S3 authentication. You can also specify authentication by name.

JSON


"AWS::CloudFormation::Authentication": {
    "rolebased" : {
        "type": "S3",
        "buckets": [{ "Fn::Sub": "${BucketName}" }],
        "roleName": { "Ref": "myRole" }
    }
}

YAML


AWS::CloudFormation::Authentication: 
  rolebased: 
    type: S3
    buckets: 
      - !Sub ${BucketName}
    roleName: !Ref myRole

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Metadata

AWS::CloudFormation::Init