nakada0907/daisuke-iam-infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(iam): update CloudFormation write role principal and permissions

Browse source
This commit is contained in:
Daisuke Nakahara 2026-01-03 20:34:25 +09:00
parent c6eaeb96fb
commit d6b591a815
1 changed files with 12 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

18
roles/cloudformation-write-role.yaml
View file

@ -1,11 +1,6 @@
AWSTemplateFormatVersion: '2010-09-09'
Description: IAM Role for CloudFormation Write operations via AssumeRole
Parameters:
AdminPrincipalArns:
Type: List<String>
Description: List of IAM Identity Center Role ARNs allowed to assume this role.
Resources:
CloudFormationWriteRole:
Type: AWS::IAM::Role
@ -17,7 +12,7 @@ Resources:
Statement:
- Effect: Allow
Principal:
AWS: !Ref AdminPrincipalArns
AWS: !Sub arn:aws:iam::${AWS::AccountId}:role/aws-reserved/sso.amazonaws.com/${AWS::Region}/AWSReservedSSO_AdministratorWebHosting_42269022c2fff771
Action: sts:AssumeRole
Policies:
- PolicyName: ECRImport
@ -41,9 +36,11 @@ Resources:
Action:
- iam:CreateRole
- iam:DeleteRole
- iam:UpdateRole
- iam:PutRolePolicy
- iam:DeleteRolePolicy
- iam:AttachRolePolicy
- iam:UpdateAssumeRolePolicy
- iam:PassRole
Resource:
- !Sub arn:aws:iam::${AWS::AccountId}:role/*
@ -58,6 +55,15 @@ Resources:
- iam:DeletePolicyVersion
Resource:
- !Sub arn:aws:iam::${AWS::AccountId}:policy/*
- PolicyName: UserPolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- iam:DeleteAccessKey
Resource:
- !Sub arn:aws:iam::${AWS::AccountId}:user/*
- PolicyName: SecretPolicies
PolicyDocument:
Version: "2012-10-17"