IAM

By default, mu will manage the IAM roles it needs to manage all resources in your account. However, this assumes that whoever is mu has administrative access to the AWS account. If you'd like to manage the IAM roles outside of mu, then you just need to provide the ARNs of the roles that you have created so that mu can use them.

First, tell mu that it doesn't need to manage roles by either:

CLI flag: mu -d ...
mu.yml file:

disableIAM: true

Then, you'll need to create and pass the following roles to mu:

mu.yml Location	Name	Description	Default Role
`roles`	`cloudFormation`	Role passed to CloudFormation for environment, service, and database stacks that are created	common-iam.yml
`environments[].roles`	`ecsInstance`	IAM role assumed by the ECS container instances. Not used if the environment provider is `ec2`	env-iam.yml
`environments[].roles`	`consulClientTask`	IAM role assumed by the ECS task for running the Consul agent on your ECS container instances. Not used unless Consul is configured for service discovery.	env-iam.yml
`environments[].roles`	`consulInstance`	IAM role assumed by the EC2 instances for the Consul server cluster. Not used unless Consul is configured for service discovery.	env-iam.yml
`environments[].roles`	`consulServerTask`	IAM role assumed by the ECS task for running the Consul agent on the Consul server cluster. Not used unless Consul is configured for service discovery.	env-iam.yml
`service.roles`	`ec2Instance`	IAM role assumed by EC2 instance for your service. Only used if the environment provider is `ec2`	service-iam.yml
`service.roles`	`codeDeploy`	Role passed to CodeDeploy service to deploy your application. Only used if the environment provider is `ec2`	service-iam.yml
`service.roles`	`ecsService`	Role passed to ECS Service to manage your application in ECS. Only used if the environment provider is `ecs`	service-iam.yml
`service.roles`	`ecsTask`	IAM role assumed by the ECS task that represents your application. Only used if the environment provider is `ecs`	service-iam.yml
`pipeline.roles`	`pipeline`	Role passed to CodePipeline.	pipeline-iam.yml
`pipeline.roles`	`build`	Role passed to CodeBuild for the `Build` stage of the pipeline.	pipeline-iam.yml
`pipeline.acceptance.roles`	`codeBuild`	Role passed to CodeBuild for the `Acceptance` stage of the pipeline.	pipeline-iam.yml
`pipeline.acceptance.roles`	`mu`	IAM role assumed by mu before deploying the environment/service/database. Useful for configuring cross-account deployments.	pipeline-iam.yml
`pipeline.production.roles`	`codeBuild`	Role passed to CodeBuild for the `Acceptance` stage of the pipeline.	pipeline-iam.yml
`pipeline.production.roles`	`mu`	IAM role assumed by mu before deploying the environment/service/database. Useful for configuring cross-account deployments.	pipeline-iam.yml

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

IAM

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Clone this wiki locally