AWS CloudFormation service role - AWS CloudFormation

AWS CloudFormation service role

A service role is an AWS Identity and Access Management (IAM) role that allows AWS CloudFormation to make calls to resources in a stack on your behalf. You can specify an IAM role that allows AWS CloudFormation to create, update, or delete your stack resources. By default, AWS CloudFormation uses a temporary session that it generates from your user credentials for stack operations. If you specify a service role, AWS CloudFormation uses that role's credentials.

Use a service role to explicitly specify the actions that AWS CloudFormation can perform, which might not always be the same actions that you or other users can do. For example, you might have administrative privileges, but you can limit AWS CloudFormation access to only Amazon EC2 actions.

You create the service role and its permission policy with the IAM service. For more information about creating a service role, see Creating a role to delegate permissions to an AWS service in the IAM User Guide. Specify AWS CloudFormation ( as the service that can assume the role.

To associate a service role with a stack, specify the role when you create the stack. For details, see Setting AWS CloudFormation stack options. You can also change the service role when you update the stack in the console, or DeleteStack the stack through the API. Before you specify a service role, ensure that you have permission to pass it (iam:PassRole). The iam:PassRole permission specifies which roles you can use.


When you specify a service role, AWS CloudFormation always uses that role for all operations that are performed on that stack. It is not possible to remove a service role attached to a stack after the stack is created. Other users that have permissions to perform operations on this stack are able to use this role, regardless of whether those users have the iam:PassRole permission or not. If the role includes permissions that the user shouldn't have, you can unintentionally escalate a user's permissions. Ensure that the role grants least privilege.