nakada0907/daisuke-iam-infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: add permissions for ECR, S3, CodePipeline, CodeBuild, Lambda, and API Gateway

Browse source
This commit is contained in:
Daisuke Nakahara 2026-01-04 12:40:23 +09:00
parent 5ca77a5360
commit 4e533c005d
1 changed files with 49 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

49
roles/cloudformation-write-role.yaml
View file

@ -26,6 +26,8 @@ Resources:
- ecr:DeleteRepositoryPolicy - ecr:DeleteRepositoryPolicy
- ecr:PutImageScanningConfiguration - ecr:PutImageScanningConfiguration
- ecr:SetRepositoryPolicy - ecr:SetRepositoryPolicy
- ecr:PutLifecyclePolicy
- ecr:DeleteLifecyclePolicy
Resource: Resource:
- !Sub arn:aws:ecr:${AWS::Region}:${AWS::AccountId}:repository/* - !Sub arn:aws:ecr:${AWS::Region}:${AWS::AccountId}:repository/*
- PolicyName: RoleWrite - PolicyName: RoleWrite
@ -79,7 +81,12 @@ Resources:
Statement: Statement:
- Effect: Allow - Effect: Allow
Action: Action:
- s3:CreateBucket
- s3:DeleteBucket
- s3:TagResource
- s3:UntagResource
- s3:PutBucketNotification - s3:PutBucketNotification
- s3:PutBucketVersioning
Resource: Resource:
- arn:aws:s3:::* - arn:aws:s3:::*
- PolicyName: CodePipelinePolicies - PolicyName: CodePipelinePolicies
@ -88,10 +95,24 @@ Resources:
Statement: Statement:
- Effect: Allow - Effect: Allow
Action: Action:
- codepipeline:CreatePipeline
- codepipeline:UpdatePipeline - codepipeline:UpdatePipeline
- codepipeline:DeletePipeline
Resource: Resource:
- !Sub "arn:aws:codepipeline:${AWS::Region}:${AWS::AccountId}:*" - !Sub "arn:aws:codepipeline:${AWS::Region}:${AWS::AccountId}:*"
- !Sub "arn:aws:codepipeline:${AWS::Region}:${AWS::AccountId}:*/*" - !Sub "arn:aws:codepipeline:${AWS::Region}:${AWS::AccountId}:*/*"
- PolicyName: CodeBuildPolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- codebuild:CreateProject
- codebuild:UpdateProject
- codebuild:DeleteProject
Resource:
- !Sub "arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:*"
- !Sub "arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:*/*"
- PolicyName: EventPolicies - PolicyName: EventPolicies
PolicyDocument: PolicyDocument:
Version: "2012-10-17" Version: "2012-10-17"
@ -102,6 +123,8 @@ Resources:
- events:DeleteRule - events:DeleteRule
- events:PutTargets - events:PutTargets
- events:RemoveTargets - events:RemoveTargets
- events:TagResource
- events:UntagResource
Resource: Resource:
- !Sub "arn:aws:events:${AWS::Region}:${AWS::AccountId}:rule/*" - !Sub "arn:aws:events:${AWS::Region}:${AWS::AccountId}:rule/*"
- PolicyName: EbPolicies - PolicyName: EbPolicies
@ -148,6 +171,32 @@ Resources:
- ecs:TagResource - ecs:TagResource
Resource: Resource:
- !Sub "arn:aws:ecs:${AWS::Region}:${AWS::AccountId}:cluster/*" - !Sub "arn:aws:ecs:${AWS::Region}:${AWS::AccountId}:cluster/*"
- PolicyName: LambdaPolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- lambda:CreateFunction
- lambda:DeleteFunction
- lambda:TagResource
- lambda:UntagResource
- lambda:AddPermission
- lambda:RemovePermission
Resource:
- !Sub "arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:*"
- PolicyName: ApiGatewayPolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- apigateway:PUT
- apigateway:PATCH
- apigateway:POST
- apigateway:DELETE
Resource:
- !Sub "arn:aws:apigateway:${AWS::Region}::/restapis/*"
ManagedPolicyArns: ManagedPolicyArns:
- arn:aws:iam::aws:policy/ReadOnlyAccess - arn:aws:iam::aws:policy/ReadOnlyAccess
- !Sub arn:aws:iam::${AWS::AccountId}:policy/CloudFormationWrite - !Sub arn:aws:iam::${AWS::AccountId}:policy/CloudFormationWrite