CloudFormation service role
If you want to explicitly specify the actions CloudFormation can perform on your behalf when deploying the Elastic CI Stack for AWS, you can create your stack using an IAM User or Role that has been granted limited permissions, or use an AWS CloudFormation service role.
The Elastic CI Stack for AWS repository contains an experimental service role template. This template creates an IAM Role and set of IAM Policies with the IAM Actions necessary to create, update, and delete a CloudFormation Stack created with the Elastic CI Stack for AWS template.
The IAM role created by this template is used to create and delete CloudFormation stacks in our test suite, but it is likely that the permissions needed for some stack parameter permutations are missing.
This template can be deployed as is, or used as the basis for your own CloudFormation service role.
Deploying the service role template
With a copy of the Elastic CI Stack for AWS repository, the service role template can be deployed using the AWS CLI:
aws cloudformation deploy \
--template-file templates/service-role.yml \
--stack-name buildkite-elastic-ci-stack-service-role \
--capabilities CAPABILITY_IAM
Once the stack has been created, the role ARN (Amazon Resource Name) can be retrieved using:
aws cloudformation describe-stacks \
--stack-name buildkite-elastic-ci-stack-service-role \
--query "Stacks[0].Outputs[?OutputKey=='RoleArn'].OutputValue" \
--output text
This role ARN can be passed to an aws cloudformation create-stack
invocation
as a value for the --role-arn
flag.