feat(iam): extend CloudFormation write role permissions for pipeline and events
- allow setting ECR repository policies - add IAM role lifecycle and PassRole permissions - grant Secrets Manager read access - enable S3 bucket notification updates - allow CodePipeline updates - allow EventBridge rule and target management
This commit is contained in:
parent
ef8bceff67
commit
c4cc90881e
1 changed files with 44 additions and 1 deletions
|
|
@ -30,6 +30,7 @@ Resources:
|
||||||
- ecr:GetRepositoryPolicy
|
- ecr:GetRepositoryPolicy
|
||||||
- ecr:DeleteRepositoryPolicy
|
- ecr:DeleteRepositoryPolicy
|
||||||
- ecr:PutImageScanningConfiguration
|
- ecr:PutImageScanningConfiguration
|
||||||
|
- ecr:SetRepositoryPolicy
|
||||||
Resource:
|
Resource:
|
||||||
- !Sub arn:aws:ecr:${AWS::Region}:${AWS::AccountId}:repository/*
|
- !Sub arn:aws:ecr:${AWS::Region}:${AWS::AccountId}:repository/*
|
||||||
- PolicyName: RoleWrite
|
- PolicyName: RoleWrite
|
||||||
|
|
@ -38,8 +39,11 @@ Resources:
|
||||||
Statement:
|
Statement:
|
||||||
- Effect: Allow
|
- Effect: Allow
|
||||||
Action:
|
Action:
|
||||||
|
- iam:CreateRole
|
||||||
|
- iam:DeleteRole
|
||||||
- iam:PutRolePolicy
|
- iam:PutRolePolicy
|
||||||
- iam:DeleteRolePolicy
|
- iam:DeleteRolePolicy
|
||||||
|
- iam:PassRole
|
||||||
Resource:
|
Resource:
|
||||||
- !Sub arn:aws:iam::${AWS::AccountId}:role/*
|
- !Sub arn:aws:iam::${AWS::AccountId}:role/*
|
||||||
- PolicyName: PolicyWrite
|
- PolicyName: PolicyWrite
|
||||||
|
|
@ -52,7 +56,46 @@ Resources:
|
||||||
- iam:DeletePolicyVersion
|
- iam:DeletePolicyVersion
|
||||||
Resource:
|
Resource:
|
||||||
- !Sub arn:aws:iam::${AWS::AccountId}:policy/*
|
- !Sub arn:aws:iam::${AWS::AccountId}:policy/*
|
||||||
|
- PolicyName: SecretPolicies
|
||||||
|
PolicyDocument:
|
||||||
|
Version: "2012-10-17"
|
||||||
|
Statement:
|
||||||
|
- Effect: Allow
|
||||||
|
Action:
|
||||||
|
- secretsmanager:GetSecretValue
|
||||||
|
Resource:
|
||||||
|
- !Sub arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:*
|
||||||
|
- PolicyName: S3Policies
|
||||||
|
PolicyDocument:
|
||||||
|
Version: "2012-10-17"
|
||||||
|
Statement:
|
||||||
|
- Effect: Allow
|
||||||
|
Action:
|
||||||
|
- s3:PutBucketNotification
|
||||||
|
Resource:
|
||||||
|
- arn:aws:s3:::*
|
||||||
|
- PolicyName: CodePipelinePolicies
|
||||||
|
PolicyDocument:
|
||||||
|
Version: "2012-10-17"
|
||||||
|
Statement:
|
||||||
|
- Effect: Allow
|
||||||
|
Action:
|
||||||
|
- codepipeline:UpdatePipeline
|
||||||
|
Resource:
|
||||||
|
- !Sub "arn:aws:codepipeline:${AWS::Region}:${AWS::AccountId}:*"
|
||||||
|
- !Sub "arn:aws:codepipeline:${AWS::Region}:${AWS::AccountId}:*/*"
|
||||||
|
- PolicyName: EventPolicies
|
||||||
|
PolicyDocument:
|
||||||
|
Version: "2012-10-17"
|
||||||
|
Statement:
|
||||||
|
- Effect: Allow
|
||||||
|
Action:
|
||||||
|
- events:PutRule
|
||||||
|
- events:DeleteRule
|
||||||
|
- events:PutTargets
|
||||||
|
- events:RemoveTargets
|
||||||
|
Resource:
|
||||||
|
- !Sub "arn:aws:events:${AWS::Region}:${AWS::AccountId}:rule/*"
|
||||||
ManagedPolicyArns:
|
ManagedPolicyArns:
|
||||||
- arn:aws:iam::aws:policy/ReadOnlyAccess
|
- arn:aws:iam::aws:policy/ReadOnlyAccess
|
||||||
- !Sub arn:aws:iam::${AWS::AccountId}:policy/CloudFormationWrite
|
- !Sub arn:aws:iam::${AWS::AccountId}:policy/CloudFormationWrite
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue