nakada0907/daisuke-iam-infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add AWS MCP policy and expand CloudFormation role permissions

Browse source 
- Add new AWS MCP managed policy with permissions for MCP tool invocation
- Extend IAM permissions: add AttachRolePolicy and CreatePolicy actions
- Add ELB permissions for target group modification
- Add ECS permissions for task definition management (register/deregister/tag)
This commit is contained in:
Daisuke Nakahara 2026-01-02 16:45:03 +09:00
parent c4cc90881e
commit ebd5d751e2
2 changed files with 40 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

18
policies/aws-mcp-policy.yaml Normal file
View file

@ -0,0 +1,18 @@
AWSTemplateFormatVersion: '2010-09-09'
Description: AWS MCP Managed Policy
Resources:
AWSMCPPolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
ManagedPolicyName: AWSMCPPolicy
Description: AWS MCP permissions for invoking MCP tools
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- aws-mcp:InvokeMcp
- aws-mcp:CallReadOnlyTool
- aws-mcp:CallReadWriteTool
Resource: "*"

22
roles/cloudformation-write-role.yaml
View file

@ -43,6 +43,7 @@ Resources:
- iam:DeleteRole - iam:DeleteRole
- iam:PutRolePolicy - iam:PutRolePolicy
- iam:DeleteRolePolicy - iam:DeleteRolePolicy
- iam:AttachRolePolicy
- iam:PassRole - iam:PassRole
Resource: Resource:
- !Sub arn:aws:iam::${AWS::AccountId}:role/* - !Sub arn:aws:iam::${AWS::AccountId}:role/*
@ -52,6 +53,7 @@ Resources:
Statement: Statement:
- Effect: Allow - Effect: Allow
Action: Action:
- iam:CreatePolicy
- iam:CreatePolicyVersion - iam:CreatePolicyVersion
- iam:DeletePolicyVersion - iam:DeletePolicyVersion
Resource: Resource:
@ -96,6 +98,26 @@ Resources:
- events:RemoveTargets - events:RemoveTargets
Resource: Resource:
- !Sub "arn:aws:events:${AWS::Region}:${AWS::AccountId}:rule/*" - !Sub "arn:aws:events:${AWS::Region}:${AWS::AccountId}:rule/*"
- PolicyName: EbPolicies
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- elasticloadbalancing:ModifyTargetGroup
Resource:
- !Sub "arn:aws:elasticloadbalancing:${AWS::Region}:${AWS::AccountId}:targetgroup/*"
- PolicyName: EcsPolicies
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- ecs:RegisterTaskDefinition
- ecs:DeregisterTaskDefinition
- ecs:TagResource
Resource:
- !Sub "arn:aws:ecs:${AWS::Region}:${AWS::AccountId}:task-definition/*"
ManagedPolicyArns: ManagedPolicyArns:
- arn:aws:iam::aws:policy/ReadOnlyAccess - arn:aws:iam::aws:policy/ReadOnlyAccess
- !Sub arn:aws:iam::${AWS::AccountId}:policy/CloudFormationWrite - !Sub arn:aws:iam::${AWS::AccountId}:policy/CloudFormationWrite