How to create a role with specified arn with cloudformation in aws? - aws-cloudformation

I want to create a role with specified arn by cloudformation in aws. But I don't know how to do it. Because we can't specify a name for the role in the template file.

Assuming you are referring to an IAM role, this is not possible using CloudFormation. CloudFormation will automatically generate a name for your role based on the stack name and the logical resource ID. For example, arn:aws:iam::112233445566:role/myStackName-myRoleName-XXXXXXXXXXXXX.


Generate IAM policy based on CloudFormation template?

To easier follow the principal of least privilege, is there a way to generate the necessary IAM policy based on a CloudFormation template?
You can indeed use cloudformation to create policies via AWS::IAM::Policy resource.
Here is the documentation

retrieve ARN of secret for CloudFormation CredentialsParameter property

I am using CloudFormation. In my YAML I define a resource of type AWS::ECS::TaskDefinition and its ContainerDefinition property. In the ContainerDefinition I have RepositoryCredentials. Its CredentialsParameter must be the ARN of a secret according to the docs.
We will have two secrets of the same symbolic name abc in the same region, one for test and one for production. These secrets are not defined in the same CloudFormation source as mine so it appears I cannot !Ref them. And because the final few characters are randomized, it is not enough to substitute the account id in the ARN string.
I could simply make the secret ARN, or the random suffix, a parameter required to create/update the CF stack, but is there some way to look up the ARN by symbolic name? Something like CredentialsParameter !ArnFor ['secret', 'abc'] perhaps?

Rename the EKS creator's IAM user name via aws cli

If we have a role change in the team, I read that EKS creator can NOT be transferred. Can we instead rename the creator's IAM user name via aws cli? Will that break EKS?
I only find ways to add new user using configmap but this configmap doesn't have the root user in there.
$ kubectl edit configmap aws-auth --namespace kube-system
There is no way to transfer the root user of an EKS cluster to another IAM user. The only way to do this would be to delete the cluster and recreate it with the new IAM user as the root user.
Can we instead rename the creator's IAM user name via aws cli? Will that break EKS?
The creator record is immutable and managed within EKS. This record is simply not accessible using CLI and not amendable (including DELETE).
How do we know a cluster was created by IAM roles or IAM users?
If you cannot find the identity (userIdentity.arn) in CloudTrail that invoked CreateCluster (eventName) for the cluster (responseElements.clusterName) in last 90 days, you need to raise it to the AWS Support to obtain the identity.
is it safe to delete the creator IAM user?
Typically, you start with deactivate the IAM user account (creator) if you are not sure of any side effect. You can proceed to delete the account later when you are confident to do so.
As already mentioned in the answer by Muhammad, it is not possible to transfer the root/creator role to another IAM user.
To avoid getting into the situation that you describe, or any other situation where the creator of the cluster should not stay root, it is recommended to not create clusters with IAM users but with assumed IAM roles instead.
This leads to the IAM role becoming the "creator", meaning that you can use IAM access management to control who can actually assume the given role und thus act as root.
You can either have dedicated roles for each cluster or one role for multiple clusters, depending on how you plan to do access management. The limits will however apply later, meaning that you can not switch the creator role afterwards, so this must be properly planned in advance.

How to attach iam role to existing redshift cluster using aws cdk code

I know that we can add iam role using manage policy in permissions of redshift cluster, but I want to write code instead of using console.
I'm trying to attach a iam role to a existing redshift cluster means created before. So I want cdk code to attach an iam user to a existing cluster.(I want it in typescript)
I just had the same problem last week. So right now it is not possible to add a role to an existing Redshift-Cluster that is not written in CDK. You can import the redshiftcluster by attribute, but you can't add a role to it. You can create the role in AWS CDK and attach it manually to the cluster. Otherwise create a new cluster in aws cdk and there you can add the role via code.

How to update secret string using cludformation?

I am a newbie to AWS cloudformation, any help will appreciated.
I have a use case wherein I would like to write CFN to update already existing secret string. I was able to find a CFN to create a secret string but not to update.
I see the AWS CLI has aws secretsmanager update-secret --secret-id I was looking for similar option in Cloudformation.
Use cloud formation template for create secret but instead of creating stack, update the existing stack using change set.
but do it you must know the stack name which is created before to create secrets.
may be use the same template which used earlier just change the value and update stack