How to Update Onboarding Role's Policies via AWS CLI
The Onboarding Template shared at URL: https://yotascale-onboarding.s3.amazonaws.com/YotascaleManagement.yaml is used for onboarding AWS accounts to Yotascale. Occasionally, the template is updated in case there are additional rights required for new features, etc.
In order to update those rights, the customers are currently required to rerun the CloudFormation template and re-onboard their AWS accounts. In order to make this process shorter, the following AWS command can be used by customers to update the policies created by the CloudFormation stack directly via AWS CLI. This would not require them to re-run the template and re-onboard their AWS Accounts.
aws iam --profile [insert profile to access AWS account] create-policy-version --policy-[insert policy ARN to be updated] --policy-document file://[insert file for policy to be updated].json --set-as-default
example:
aws iam --profile default create-policy-version --policy-arn arn:aws:iam::XXXXX:policy/YS-Onboarding-YotascaleReadPolicy-XXXXXXXXXXX --policy-document file://yotascale-read-policy.json --set-as-default
The policy documents for the 3 policies currently created and attached to the onboarding role (by running the CloudFormation template) are as follows:
yotascale-read-policy.json
yotascale-tagging-policy.json
yotascale-billing-policy.json
In case the CloudFormation template is updated, the above JSON policy documents will also need to updated. The CloudFormation template can serve as the master reference for making sure latest rights are being added to the above JSON docs.