nakada0907/daisuke-iam-infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add CloudFormation write IAM role, managed policy, and repository README

Browse source
This commit is contained in:
Daisuke Nakahara 2025-12-31 19:52:14 +09:00
commit ef8bceff67
3 changed files with 111 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

58
roles/cloudformation-write-role.yaml Normal file
View file

@ -0,0 +1,58 @@
AWSTemplateFormatVersion: '2010-09-09'
Description: IAM Role for CloudFormation Write operations via AssumeRole
Parameters:
AdminPrincipalArns:
Type: List<String>
Description: List of IAM Identity Center Role ARNs allowed to assume this role.
Resources:
CloudFormationWriteRole:
Type: AWS::IAM::Role
Properties:
RoleName: CloudFormationWriteRole
Description: Role for performing CloudFormation write operations. Intended to be assumed manually or by CI/CD, not attached to Permission Sets.
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
AWS: !Ref AdminPrincipalArns
Action: sts:AssumeRole
Policies:
- PolicyName: ECRImport
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- ecr:DescribeRepositories
- ecr:GetRepositoryPolicy
- ecr:DeleteRepositoryPolicy
- ecr:PutImageScanningConfiguration
Resource:
- !Sub arn:aws:ecr:${AWS::Region}:${AWS::AccountId}:repository/*
- PolicyName: RoleWrite
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- iam:PutRolePolicy
- iam:DeleteRolePolicy
Resource:
- !Sub arn:aws:iam::${AWS::AccountId}:role/*
- PolicyName: PolicyWrite
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- iam:CreatePolicyVersion
- iam:DeletePolicyVersion
Resource:
- !Sub arn:aws:iam::${AWS::AccountId}:policy/*
ManagedPolicyArns:
- arn:aws:iam::aws:policy/ReadOnlyAccess
- !Sub arn:aws:iam::${AWS::AccountId}:policy/CloudFormationWrite