Daisuke
ebd5d751e2
- Add new AWS MCP managed policy with permissions for MCP tool invocation - Extend IAM permissions: add AttachRolePolicy and CreatePolicy actions - Add ELB permissions for target group modification - Add ECS permissions for task definition management (register/deregister/tag)
123 lines
4.4 KiB
YAML
123 lines
4.4 KiB
YAML
AWSTemplateFormatVersion: '2010-09-09'
|
|
Description: IAM Role for CloudFormation Write operations via AssumeRole
|
|
|
|
Parameters:
|
|
AdminPrincipalArns:
|
|
Type: List<String>
|
|
Description: List of IAM Identity Center Role ARNs allowed to assume this role.
|
|
|
|
Resources:
|
|
CloudFormationWriteRole:
|
|
Type: AWS::IAM::Role
|
|
Properties:
|
|
RoleName: CloudFormationWriteRole
|
|
Description: Role for performing CloudFormation write operations. Intended to be assumed manually or by CI/CD, not attached to Permission Sets.
|
|
AssumeRolePolicyDocument:
|
|
Version: '2012-10-17'
|
|
Statement:
|
|
- Effect: Allow
|
|
Principal:
|
|
AWS: !Ref AdminPrincipalArns
|
|
Action: sts:AssumeRole
|
|
Policies:
|
|
- PolicyName: ECRImport
|
|
PolicyDocument:
|
|
Version: "2012-10-17"
|
|
Statement:
|
|
- Effect: Allow
|
|
Action:
|
|
- ecr:DescribeRepositories
|
|
- ecr:GetRepositoryPolicy
|
|
- ecr:DeleteRepositoryPolicy
|
|
- ecr:PutImageScanningConfiguration
|
|
- ecr:SetRepositoryPolicy
|
|
Resource:
|
|
- !Sub arn:aws:ecr:${AWS::Region}:${AWS::AccountId}:repository/*
|
|
- PolicyName: RoleWrite
|
|
PolicyDocument:
|
|
Version: "2012-10-17"
|
|
Statement:
|
|
- Effect: Allow
|
|
Action:
|
|
- iam:CreateRole
|
|
- iam:DeleteRole
|
|
- iam:PutRolePolicy
|
|
- iam:DeleteRolePolicy
|
|
- iam:AttachRolePolicy
|
|
- iam:PassRole
|
|
Resource:
|
|
- !Sub arn:aws:iam::${AWS::AccountId}:role/*
|
|
- PolicyName: PolicyWrite
|
|
PolicyDocument:
|
|
Version: "2012-10-17"
|
|
Statement:
|
|
- Effect: Allow
|
|
Action:
|
|
- iam:CreatePolicy
|
|
- iam:CreatePolicyVersion
|
|
- iam:DeletePolicyVersion
|
|
Resource:
|
|
- !Sub arn:aws:iam::${AWS::AccountId}:policy/*
|
|
- PolicyName: SecretPolicies
|
|
PolicyDocument:
|
|
Version: "2012-10-17"
|
|
Statement:
|
|
- Effect: Allow
|
|
Action:
|
|
- secretsmanager:GetSecretValue
|
|
Resource:
|
|
- !Sub arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:*
|
|
- PolicyName: S3Policies
|
|
PolicyDocument:
|
|
Version: "2012-10-17"
|
|
Statement:
|
|
- Effect: Allow
|
|
Action:
|
|
- s3:PutBucketNotification
|
|
Resource:
|
|
- arn:aws:s3:::*
|
|
- PolicyName: CodePipelinePolicies
|
|
PolicyDocument:
|
|
Version: "2012-10-17"
|
|
Statement:
|
|
- Effect: Allow
|
|
Action:
|
|
- codepipeline:UpdatePipeline
|
|
Resource:
|
|
- !Sub "arn:aws:codepipeline:${AWS::Region}:${AWS::AccountId}:*"
|
|
- !Sub "arn:aws:codepipeline:${AWS::Region}:${AWS::AccountId}:*/*"
|
|
- PolicyName: EventPolicies
|
|
PolicyDocument:
|
|
Version: "2012-10-17"
|
|
Statement:
|
|
- Effect: Allow
|
|
Action:
|
|
- events:PutRule
|
|
- events:DeleteRule
|
|
- events:PutTargets
|
|
- events:RemoveTargets
|
|
Resource:
|
|
- !Sub "arn:aws:events:${AWS::Region}:${AWS::AccountId}:rule/*"
|
|
- PolicyName: EbPolicies
|
|
PolicyDocument:
|
|
Version: "2012-10-17"
|
|
Statement:
|
|
- Effect: Allow
|
|
Action:
|
|
- elasticloadbalancing:ModifyTargetGroup
|
|
Resource:
|
|
- !Sub "arn:aws:elasticloadbalancing:${AWS::Region}:${AWS::AccountId}:targetgroup/*"
|
|
- PolicyName: EcsPolicies
|
|
PolicyDocument:
|
|
Version: "2012-10-17"
|
|
Statement:
|
|
- Effect: Allow
|
|
Action:
|
|
- ecs:RegisterTaskDefinition
|
|
- ecs:DeregisterTaskDefinition
|
|
- ecs:TagResource
|
|
Resource:
|
|
- !Sub "arn:aws:ecs:${AWS::Region}:${AWS::AccountId}:task-definition/*"
|
|
ManagedPolicyArns:
|
|
- arn:aws:iam::aws:policy/ReadOnlyAccess
|
|
- !Sub arn:aws:iam::${AWS::AccountId}:policy/CloudFormationWrite
|