The create-stack / update-stack / delete-stack operations of cloud formation support a
--role-arn parameter, which you can specify to get cloudformation assumes to make changes to the stack resources.
I can’t currently see any way to specify this with the Deploy to Cloudformation step. You can specify from within the AWS account section that you can assume a different AWS service role, but this is different to the
--role-arn parameter, in that the assumed service role will be the role used to execute the
create-stack command, and would require all relevant permissions to create the resources of the stack in any context - not just cloudformation, and mean my simple IAM account used solely to manage cloudformation could potentially have access to everything in every stack it manages, just by assuming that role - big security hole there. By using the
--role-arn parameter, I can specify the only thing that my simple IAM account can do with the role is pass it through to cloudformation, and the account can’t be used for any malicious purposes.