enter image description here in aws cloudformation why do we have to edit iam roles in template only then why is the option given in console,when trying to update iam role it says nothing to update

CodePudding user response：

The role in question is used to grant the Cloudformation the permissions to deploy specific resources as part of the stack. By default if you don't specify what role the stack should use, it will use the permissions assigned to a user that's creating the CFN stack. So for example in case you don't have permissions to deploy an IAM resources and you try to deploy a CFN stack containing an IAM Role it will fail due to lack of permissions. This is where the Cloudformation IAM Roles come in handy. You can have a Cloudformation role deployed that has more permissions that the role you're using to deploy the stack itself and by assigning it to the CFN stack you're now able to privision those resources.

To update the IAM Role that the stack uses without making any changes to the stack resources you can got to Update -> Use current template -> Change IAM role (in Permissions) pick the role you want the stack to use and click Update stack. Once completed you can check the Stack info and in Overview the new IAM Role arn should be listed.

When deploying the resources from the pipeline or aws cli you can also specify the role you want your stack to use to provision the resources.

aws cloudformation deploy \
     --template-file package.yaml \
     --stack-name YOUR-STACK-NAME \
     --role-arn arn:aws:iam::123456789012:role/YOUR-IAM-ROLE

CodePudding user response：

Your screenshot shows AWS CloudFormation (CFN) service role. This is totally different role from those in your templates. Namely, CFN will use that role to create/update your stack. By default CFN uses your own IAM user permissions, but you can tell CFN to use the given CFN service role instead.