Add AWS MCP policy and expand CloudFormation role permissions

- Add new AWS MCP managed policy with permissions for MCP tool invocation - Extend IAM permissions: add AttachRolePolicy and CreatePolicy actions - Add ELB permissions for target group modification - Add ECS permissions for task definition management (register/deregister/tag)
2026-01-02 16:45:03 +09:00 · 2026-01-02 16:45:03 +09:00 · ebd5d751e2
commit ebd5d751e2
parent c4cc90881e
2 changed files with 40 additions and 0 deletions
--- a/policies/aws-mcp-policy.yaml
+++ b/policies/aws-mcp-policy.yaml
@ -0,0 +1,18 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Description: AWS MCP Managed Policy
+
+Resources:
+  AWSMCPPolicy:
+    Type: AWS::IAM::ManagedPolicy
+    Properties:
+      ManagedPolicyName: AWSMCPPolicy
+      Description: AWS MCP permissions for invoking MCP tools
+      PolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Effect: Allow
+            Action:
+              - aws-mcp:InvokeMcp
+              - aws-mcp:CallReadOnlyTool
+              - aws-mcp:CallReadWriteTool
+            Resource: "*"
--- a/roles/cloudformation-write-role.yaml
+++ b/roles/cloudformation-write-role.yaml
@ -43,6 +43,7 @@ Resources:
                  - iam:DeleteRole
                  - iam:PutRolePolicy
                  - iam:DeleteRolePolicy
+                  - iam:AttachRolePolicy
                  - iam:PassRole
                Resource:
                  - !Sub arn:aws:iam::${AWS::AccountId}:role/*
@ -52,6 +53,7 @@ Resources:
            Statement:
              - Effect: Allow
                Action:
+                  - iam:CreatePolicy
                  - iam:CreatePolicyVersion
                  - iam:DeletePolicyVersion
                Resource:
@ -96,6 +98,26 @@ Resources:
                  - events:RemoveTargets
                Resource:
                  - !Sub "arn:aws:events:${AWS::Region}:${AWS::AccountId}:rule/*"
+        - PolicyName: EbPolicies
+          PolicyDocument:
+            Version: "2012-10-17"
+            Statement:
+              - Effect: Allow
+                Action:
+                  - elasticloadbalancing:ModifyTargetGroup
+                Resource:
+                  - !Sub "arn:aws:elasticloadbalancing:${AWS::Region}:${AWS::AccountId}:targetgroup/*"
+        - PolicyName: EcsPolicies
+          PolicyDocument:
+            Version: "2012-10-17"
+            Statement:
+              - Effect: Allow
+                Action:
+                  - ecs:RegisterTaskDefinition
+                  - ecs:DeregisterTaskDefinition
+                  - ecs:TagResource
+                Resource:
+                  - !Sub "arn:aws:ecs:${AWS::Region}:${AWS::AccountId}:task-definition/*"
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/ReadOnlyAccess
        - !Sub arn:aws:iam::${AWS::AccountId}:policy/CloudFormationWrite