diff --git a/roles/cloudformation-write-role.yaml b/roles/cloudformation-write-role.yaml index 85a1ab8..a6df4c0 100644 --- a/roles/cloudformation-write-role.yaml +++ b/roles/cloudformation-write-role.yaml @@ -179,6 +179,11 @@ Resources: Action: - lambda:CreateFunction - lambda:DeleteFunction + - lambda:UpdateFunctionCode + - lambda:PublishVersion + - lambda:CreateAlias + - lambda:UpdateAlias + - lambda:DeleteAlias - lambda:TagResource - lambda:UntagResource - lambda:AddPermission diff --git a/roles/s3-write-role.yaml b/roles/s3-write-role.yaml new file mode 100644 index 0000000..9ca33f4 --- /dev/null +++ b/roles/s3-write-role.yaml @@ -0,0 +1,35 @@ +AWSTemplateFormatVersion: '2010-09-09' +Description: IAM Role for S3 Write operations via AssumeRole + +Resources: + S3WriteRole: + Type: AWS::IAM::Role + Properties: + RoleName: S3WriteRole + Description: Role for CLI users to upload files to S3 buckets + AssumeRolePolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Principal: + AWS: !Sub arn:aws:iam::${AWS::AccountId}:role/aws-reserved/sso.amazonaws.com/${AWS::Region}/AWSReservedSSO_AdministratorWebHosting_42269022c2fff771 + Action: sts:AssumeRole + Policies: + - PolicyName: S3Policy + PolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: Allow + Action: + - s3:ListBucket + Resource: + - !Sub arn:aws:s3:::${AWS::Region}-${AWS::AccountId}-blog-lambda-source-bucket + - !Sub arn:aws:s3:::${AWS::Region}-${AWS::AccountId}-forgejo-source-bucket + - Effect: Allow + Action: + - s3:PutObject + - s3:GetObject + - s3:DeleteObject + Resource: + - !Sub arn:aws:s3:::${AWS::Region}-${AWS::AccountId}-blog-lambda-source-bucket/* + - !Sub arn:aws:s3:::${AWS::Region}-${AWS::AccountId}-forgejo-source-bucket/*