feat: add S3 write role for CLI users
This commit is contained in:
parent
4e533c005d
commit
c23ec5c624
1 changed files with 35 additions and 0 deletions
35
roles/s3-write-role.yaml
Normal file
35
roles/s3-write-role.yaml
Normal file
|
|
@ -0,0 +1,35 @@
|
||||||
|
AWSTemplateFormatVersion: '2010-09-09'
|
||||||
|
Description: IAM Role for S3 Write operations via AssumeRole
|
||||||
|
|
||||||
|
Resources:
|
||||||
|
S3WriteRole:
|
||||||
|
Type: AWS::IAM::Role
|
||||||
|
Properties:
|
||||||
|
RoleName: S3WriteRole
|
||||||
|
Description: Role for CLI users to upload files to S3 buckets
|
||||||
|
AssumeRolePolicyDocument:
|
||||||
|
Version: '2012-10-17'
|
||||||
|
Statement:
|
||||||
|
- Effect: Allow
|
||||||
|
Principal:
|
||||||
|
AWS: !Sub arn:aws:iam::${AWS::AccountId}:role/aws-reserved/sso.amazonaws.com/${AWS::Region}/AWSReservedSSO_AdministratorWebHosting_42269022c2fff771
|
||||||
|
Action: sts:AssumeRole
|
||||||
|
Policies:
|
||||||
|
- PolicyName: S3Policy
|
||||||
|
PolicyDocument:
|
||||||
|
Version: "2012-10-17"
|
||||||
|
Statement:
|
||||||
|
- Effect: Allow
|
||||||
|
Action:
|
||||||
|
- s3:ListBucket
|
||||||
|
Resource:
|
||||||
|
- !Sub arn:aws:s3:::${AWS::Region}-${AWS::AccountId}-blog-lambda-source-bucket
|
||||||
|
- !Sub arn:aws:s3:::${AWS::Region}-${AWS::AccountId}-forgejo-source-bucket
|
||||||
|
- Effect: Allow
|
||||||
|
Action:
|
||||||
|
- s3:PutObject
|
||||||
|
- s3:GetObject
|
||||||
|
- s3:DeleteObject
|
||||||
|
Resource:
|
||||||
|
- !Sub arn:aws:s3:::${AWS::Region}-${AWS::AccountId}-blog-lambda-source-bucket/*
|
||||||
|
- !Sub arn:aws:s3:::${AWS::Region}-${AWS::AccountId}-forgejo-source-bucket/*
|
||||||
Loading…
Add table
Add a link
Reference in a new issue