Amazon CloudFormation service role - Amazon CloudFormation
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Amazon CloudFormation service role

A service role is an Amazon Identity and Access Management (IAM) role that allows Amazon CloudFormation to make calls to resources in a stack on your behalf. You can specify an IAM role that allows Amazon CloudFormation to create, update, or delete your stack resources. By default, Amazon CloudFormation uses a temporary session that it generates from your user credentials for stack operations. If you specify a service role, Amazon CloudFormation uses that role's credentials.

Use a service role to explicitly specify the actions that Amazon CloudFormation can perform, which might not always be the same actions that you or other users can do. For example, you might have administrative privileges, but you can limit Amazon CloudFormation access to only Amazon EC2 actions.

You create the service role and its permission policy with the IAM service. For more information about creating a service role, see Creating a role to delegate permissions to an Amazon service in the IAM User Guide. Specify Amazon CloudFormation (cloudformation.amazonaws.com) as the service that can assume the role.

To associate a service role with a stack, specify the role when you create the stack. For details, see Setting Amazon CloudFormation stack options. You can also change the service role when you update the stack in the console, or delete the stack through the API. Before you specify a service role, ensure that you have permission to pass it (iam:PassRole). The iam:PassRole permission specifies which roles you can use.

Important

When you specify a service role, Amazon CloudFormation always uses that role for all operations that are performed on that stack. It is not possible to remove a service role attached to a stack after the stack is created. Other users that have permissions to perform operations on this stack will be able to use this role, even if they don't have permission to pass it. If the role includes permissions that the user shouldn't have, you can unintentionally escalate a user's permissions. Ensure that the role grants least privilege.