AWS::CloudFormation::Authentication
Use the AWS::CloudFormation::Authentication
resource to specify authentication credentials
for files or sources that you specify with the AWS::CloudFormation::Init resource.
To include authentication information for a file or source that you specify with
AWS::CloudFormation::Init
, use the uris
property if the source is a URI or the
buckets
property if the source is an Amazon S3 bucket. For more information about files, see Files. For more
information about sources, see Sources Supported formats.
You can also specify authentication information for files directly in the
AWS::CloudFormation::Init
resource. The files key of the resource contains a property named
authentication
. You can use the authentication
property to
associate authentication information defined in an AWS::CloudFormation::Authentication
resource directly with a file.
For files, AWS CloudFormation looks for authentication information in the following order:
-
The
authentication
property of theAWS::CloudFormation::Init
files
key. -
The
uris
orbuckets
property of theAWS::CloudFormation::Authentication
resource.
For sources, CloudFormation looks for authentication information in the uris
or
buckets
property of the AWS::CloudFormation::Authentication
resource.
Topics
Syntax
To declare this entity in your CloudFormation template, use the following syntax:
You should be aware of the following considerations when using the AWS::CloudFormation::Authentication
type:
-
Unlike most CloudFormation resources, the
AWS::CloudFormation::Authentication
type doesn't contain a block called Properties, but instead contains a list of user-named blocks, each containing its own authentication properties.Not all properties pertain to each authentication type; see the type property for more details.
-
Unlike most CloudFormation resources, property names use lower camel case.
JSON
{ "Type" : "AWS::CloudFormation::Authentication" { "
String
" : { "accessKeyId" :String
, "buckets" : [String, ...
], "password" :String
, "secretKey" :String
, "type" :String
, "uris" : [String, ...
], "username" :String
, "roleName" :String
} } }
YAML
Type: AWS::CloudFormation::Authentication
String
: accessKeyId:String
buckets: -String
password:String
secretKey:String
type:String
uris: -String
username:String
roleName:String
Properties
accessKeyId
-
Specifies the access key ID for S3 authentication.
Required: Conditional. Can be specified only if the
type
property is set to"S3"
.Type: String
buckets
-
A comma-delimited list of Amazon S3 buckets to be associated with the S3 authentication credentials.
Required: Conditional. Can be specified only if the
type
property is set to"S3"
.Type: List of String values
password
-
Specifies the password for basic authentication.
Required: Conditional. Can be specified only if the type property is set to
"basic"
.Type: String
secretKey
-
Specifies the secret key for S3 authentication.
Required: Conditional. Can be specified only if the
type
property is set to"S3"
.Type: String
type
-
Specifies whether the authentication scheme uses a user name and password ("basic") or an access key ID and secret key ("S3").
If you specify
"basic"
, specify theusername
,password
, anduris
properties.If you specify
"S3"
, specify theaccessKeyId
,secretKey
, andbuckets
(optional) properties.Required: Yes
Valid values:
basic
|S3
uris
-
A comma-delimited list of URIs to be associated with the basic authentication credentials. The authorization applies to the specified URIs and any more specific URI. For example, if you specify
http://www.example.com
, the authorization will also apply tohttp://www.example.com/test
.Required: Conditional. Can be specified only if the
type
property is set to"basic"
.Type: List of String values
username
-
Specifies the user name for basic authentication.
Required: Conditional. Can be specified only if the type property is set to
"basic"
.Type: String
roleName
-
Describes the role for role-based authentication.
Important
This role must be contained within the instance profile that's attached to the EC2 instance. An instance profile can only contain one IAM role.
Required: Conditional. Can be specified only if the
type
property is set to"S3"
.Type: String.
Examples
Note
Unlike most resources, the AWS::CloudFormation::Authentication
type defines a list of user-named blocks, each
of which contains authentication properties that use lower camel case naming.
EC2 web server authentication
This template snippet shows how to get a file from a private S3 bucket within an EC2
instance. The credentials used for authentication are defined in the
AWS::CloudFormation::Authentication
resource, and referenced by the
AWS::CloudFormation::Init
resource in the files section.
JSON
"WebServer": { "Type": "AWS::EC2::Instance", "DependsOn" : "BucketPolicy", "Metadata" : { "AWS::CloudFormation::Init" : { "config" : { "packages" : { "yum" : { "httpd" : [] } }, "files" : { "/var/www/html/index.html" : { "source" : { "Fn::Join" : [ "", [ "http://s3.amazonaws.com/", { "Ref" : "BucketName" }, "/index.html" ] ] }, "mode" : "000400", "owner" : "apache", "group" : "apache", "authentication" : "S3AccessCreds" } }, "services" : { "sysvinit" : { "httpd" : { "enabled" : "true", "ensureRunning" : "true" } } } } }, "AWS::CloudFormation::Authentication" : { "S3AccessCreds" : { "type" : "S3", "accessKeyId" : { "Ref" : "CfnKeys" }, "secretKey" : { "Fn::GetAtt": [ "CfnKeys", "SecretAccessKey" ] } } } }, "Properties": {
EC2 Resource Properties ...
} }
YAML
WebServer: Type: AWS::EC2::Instance DependsOn: "BucketPolicy" Metadata: AWS::CloudFormation::Init: config: packages: yum: httpd: [] files: /var/www/html/index.html: source: Fn::Join: - "" - - "http://s3.amazonaws.com/" - Ref: "BucketName" - "/index.html" mode: "000400" owner: "apache" group: "apache" authentication: "S3AccessCreds" services: sysvinit: httpd: enabled: "true" ensureRunning: "true" AWS::CloudFormation::Authentication: S3AccessCreds: type: "S3" accessKeyId: Ref: "CfnKeys" secretKey: Fn::GetAtt: - "CfnKeys" - "SecretAccessKey" Properties:
EC2 Resource Properties ...
Specifying both basic and S3 authentication
The following example template snippet includes both basic and S3 authentication types.
JSON
"AWS::CloudFormation::Authentication" : { "testBasic" : { "type" : "basic", "username" : { "Ref" : "UserName" }, "password" : { "Ref" : "Password" }, "uris" : [ "example.com/test" ] }, "testS3" : { "type" : "S3", "accessKeyId" : { "Ref" : "AccessKeyID" }, "secretKey" : { "Ref" : "SecretAccessKeyID" }, "buckets" : [ "
DOC-EXAMPLE-BUCKET1
" ] } }
YAML
AWS::CloudFormation::Authentication: testBasic: type: "basic" username: Ref: "UserName" password: Ref: "Password" uris: - "example.com/test" testS3: type: "S3" accessKeyId: Ref: "AccessKeyID" secretKey: Ref: "SecretAccessKeyID" buckets: - "myawsbucket"
IAM roles
The following example shows how to use IAM roles:
-
myRole
is an AWS::IAM::Role resource. -
The Amazon EC2 instance that runs
cfn-init
is associated withmyRole
through an instance profile. -
The example specifies the authentication by using the
buckets
property, like in Amazon S3 authentication. You can also specify authentication by name.
JSON
"AWS::CloudFormation::Authentication": { "rolebased" : { "type": "S3", "buckets": [ "myBucket" ], "roleName": { "Ref": "myRole" } } }
YAML
AWS::CloudFormation::Authentication: rolebased: type: "S3" buckets: - "myBucket" roleName: Ref: "myRole"