Command: environment init
The environment init is a helper command that downloads an AWS CloudFormation
stack template (in YAML). This template contains the role that is needed for the
managed service to manage resources in the target AWS account. The output is the
template text, which can be copied or redirected to a file.
Currently, only CloudFormation is supported, in the future there may be other templates or methods to set up the access.
The AWS documentation provides an article on how to create a stack using the AWS CLI tool.
We recommend reviewing the policy for restrictions, but note that by adding additional restrictions to the policy could break managed service functionality. (Currently this is not least privilege).
Usage
edw environment init [options]
Options
-cloudformation- generates the AWS yaml template for the cloudformation stack.
Example: Output to Screen
$ edw environment init -cloudformation
AWSTemplateFormatVersion: 2010-09-09
Resources:
edwRole:
Type: AWS::IAM::Role
Properties:
RoleName: 'edw-access-role'
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
AWS:
- 'arn:aws:iam::xxxx:root'
Action:
- 'sts:AssumeRole'
Path: '/edw/access/role/'
Policies:
- PolicyName: 'edw-access-policy'
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action: '*'
Resource: '*'
Outputs:
edwRoleARN:
Description: The ARN of the edw role
Value: !GetAtt edwRole.Arn
Example: Output to file and use AWS CLI to create the stack
$ edw environment init -cloudformation > /tmp/edw_init_template.yml
$ aws cloudformation deploy \
--template-file /tmp/edw_init_template.yml \
--capabilities CAPABILITY_IAM CAPABILITY_NAMED_IAM \
--stack-name <my_edw_stack> \
--parameter-override ClientId=$EDW_CLIENT_ID