How can I specify a signed S3 URL as template in CloudFormation?

Question

In AWS CloudFormation, you can specify a template by uploading a template file or by specifying a S3 URL to a template. (Specify an Amazon S3 template URL)

If the bucket is public, you can construct a URL for anyone to access the object/template. This works fine as long as the S3 template URL is a simple URL:

https://s3.amazonaws.com/public-bucket/unsigned.template

But if the bucket is private, you can generate a signed S3 URL if you want to share an object to others. I am given a URL that is a signed S3 URL for a template in a private bucket:

https://s3.amazonaws.com/private-bucket/signed.template?Signature=Cs6sqUABadcfZAuFu5FSMWAQ%3D&Expires=1459636414&AWSAccessKeyId=AKIAJ23456AXIOUBCNQ

Unfortunately CF is not honoring the signed URL and strips everything after .template. Due to this I get Access Denied error. Does anyone know a way to specify a signed S3 URL as a template in CloudFormation?

Answer 1

You would have to URL encode the s3 object presigned url before attaching it to the Cloudformation URL.

eg in javascript:

"https://console.aws.amazon.com/cloudformation/home?region=us-west-2#/stacks/create/review?stackName=MyStack&templateURL=" + encodeURIComponent(presignedURL)

Answer 2

AWS finally acknowledged that it is a bug in CloudFormation and they are working on a fix. No ETA on that yet.

Answer 3

It seems that you can only use a URL you have access to (signed URLs are note enough). But if you are willing to use the aws cli, you could also use curl to get the contents of the template and create the stack using --template-body

$ aws cloudformation create-stack --template-body "$(curl -s '<signed url>')" --stack-name test --parameters ParameterKey=string,ParameterValue=string

If you are scripting, save the template to a temporary file and then pass it to template-body