6

In AWS CloudFormation, you can specify a template by uploading a template file or by specifying a S3 URL to a template. (Specify an Amazon S3 template URL)

If the bucket is public, you can construct a URL for anyone to access the object/template. This works fine as long as the S3 template URL is a simple URL:

https://s3.amazonaws.com/public-bucket/unsigned.template

But if the bucket is private, you can generate a signed S3 URL if you want to share an object to others. I am given a URL that is a signed S3 URL for a template in a private bucket:

https://s3.amazonaws.com/private-bucket/signed.template?Signature=Cs6sqUABadcfZAuFu5FSMWAQ%3D&Expires=1459636414&AWSAccessKeyId=AKIAJ23456AXIOUBCNQ

Unfortunately CF is not honoring the signed URL and strips everything after .template. Due to this I get Access Denied error. Does anyone know a way to specify a signed S3 URL as a template in CloudFormation?

helloV
  • 50,176
  • 7
  • 137
  • 145

3 Answers3

6

AWS finally acknowledged that it is a bug in CloudFormation and they are working on a fix. No ETA on that yet.

helloV
  • 50,176
  • 7
  • 137
  • 145
  • If you have any links to an issue page or announcement they would be helpful here. – jeffrey Mar 16 '18 at 22:45
  • Quick update, this is now allowed echo https://us-west-2.console.aws.amazon.com/cloudformation/home?region=us-west-2#/stacks/create/review?templateURL=$(aws s3 presign s3://jeffrey-cf-test/test.template)&stackName=testpresignURL seems to work do the trick – jeffrey Mar 19 '18 at 19:59
  • @jeffrey Thanks. Let me verify it and update the answer. – helloV Mar 19 '18 at 20:00
  • hey I spoke too soon, it looks like that will work inside the account I created to bucket, but not cross account, which seems odd to me. – jeffrey Mar 19 '18 at 20:39
  • did a little more playing with this in two toy accounts, and i still feel like something funky is going on. I create a presigned get url, as above, and in my browser logged in to the account with said bucket I get a prompted to create my stack, when I take that same url into a browser signed into a different account there is an access denied error. I go back make the template's acl allow public read, then suddenly that *same* cf link with the presign url works in the isolated account. This leads me to believe that despite the url there is a s3.GetObject call going on behind the scenes, odd. – jeffrey Mar 19 '18 at 21:58
  • so much to say, this is an interesting question @helloV – jeffrey Mar 19 '18 at 21:59
0

It seems that you can only use a URL you have access to (signed URLs are note enough). But if you are willing to use the aws cli, you could also use curl to get the contents of the template and create the stack using --template-body

$ aws cloudformation create-stack --template-body "$(curl -s '<signed url>')" --stack-name test --parameters ParameterKey=string,ParameterValue=string

If you are scripting, save the template to a temporary file and then pass it to template-body

Renan
  • 470
  • 1
  • 5
  • 9
  • I am using AWS dashboard, so CLI and script are not options. – helloV Mar 03 '16 at 23:46
  • are you using the signed url to give permission just for a certain amount of time, or to control who has access. If it is the second option, you could use a bucket policy instead of signed urls: http://docs.aws.amazon.com/AmazonS3/latest/dev/example-walkthroughs-managing-access-example2.html – Renan Mar 03 '16 at 23:50
0

You would have to URL encode the s3 object presigned url before attaching it to the Cloudformation URL.

eg in javascript:

"https://console.aws.amazon.com/cloudformation/home?region=us-west-2#/stacks/create/review?stackName=MyStack&templateURL=" + encodeURIComponent(presignedURL)

Bobberman
  • 99
  • 1