feat(iam): update CloudFormation write role principal and permissions

2026-01-03 20:34:25 +09:00 · 2026-01-03 20:34:25 +09:00 · d6b591a815
commit d6b591a815
parent c6eaeb96fb
1 changed files with 12 additions and 6 deletions
--- a/roles/cloudformation-write-role.yaml
+++ b/roles/cloudformation-write-role.yaml
@ -1,11 +1,6 @@
 AWSTemplateFormatVersion: '2010-09-09'
 Description: IAM Role for CloudFormation Write operations via AssumeRole
 Parameters:
  AdminPrincipalArns:
    Type: List<String>
    Description: List of IAM Identity Center Role ARNs allowed to assume this role.
 Resources:
  CloudFormationWriteRole:
    Type: AWS::IAM::Role
@ -17,7 +12,7 @@ Resources:
        Statement:
          - Effect: Allow
            Principal:
-              AWS: !Ref AdminPrincipalArns
+              AWS: !Sub arn:aws:iam::${AWS::AccountId}:role/aws-reserved/sso.amazonaws.com/${AWS::Region}/AWSReservedSSO_AdministratorWebHosting_42269022c2fff771
            Action: sts:AssumeRole
      Policies:
        - PolicyName: ECRImport
@ -41,9 +36,11 @@ Resources:
                Action:
                  - iam:CreateRole
                  - iam:DeleteRole
                  - iam:UpdateRole
                  - iam:PutRolePolicy
                  - iam:DeleteRolePolicy
                  - iam:AttachRolePolicy
                  - iam:UpdateAssumeRolePolicy
                  - iam:PassRole
                Resource:
                  - !Sub arn:aws:iam::${AWS::AccountId}:role/*
@ -58,6 +55,15 @@ Resources:
                  - iam:DeletePolicyVersion
                Resource:
                  - !Sub arn:aws:iam::${AWS::AccountId}:policy/*
        - PolicyName: UserPolicy
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - iam:DeleteAccessKey
                Resource:
                  - !Sub arn:aws:iam::${AWS::AccountId}:user/*
        - PolicyName: SecretPolicies
          PolicyDocument:
            Version: "2012-10-17"