58 lines
2 KiB
YAML
58 lines
2 KiB
YAML
AWSTemplateFormatVersion: '2010-09-09'
|
|
Description: IAM Role for CloudFormation Write operations via AssumeRole
|
|
|
|
Parameters:
|
|
AdminPrincipalArns:
|
|
Type: List<String>
|
|
Description: List of IAM Identity Center Role ARNs allowed to assume this role.
|
|
|
|
Resources:
|
|
CloudFormationWriteRole:
|
|
Type: AWS::IAM::Role
|
|
Properties:
|
|
RoleName: CloudFormationWriteRole
|
|
Description: Role for performing CloudFormation write operations. Intended to be assumed manually or by CI/CD, not attached to Permission Sets.
|
|
AssumeRolePolicyDocument:
|
|
Version: '2012-10-17'
|
|
Statement:
|
|
- Effect: Allow
|
|
Principal:
|
|
AWS: !Ref AdminPrincipalArns
|
|
Action: sts:AssumeRole
|
|
Policies:
|
|
- PolicyName: ECRImport
|
|
PolicyDocument:
|
|
Version: "2012-10-17"
|
|
Statement:
|
|
- Effect: Allow
|
|
Action:
|
|
- ecr:DescribeRepositories
|
|
- ecr:GetRepositoryPolicy
|
|
- ecr:DeleteRepositoryPolicy
|
|
- ecr:PutImageScanningConfiguration
|
|
Resource:
|
|
- !Sub arn:aws:ecr:${AWS::Region}:${AWS::AccountId}:repository/*
|
|
- PolicyName: RoleWrite
|
|
PolicyDocument:
|
|
Version: "2012-10-17"
|
|
Statement:
|
|
- Effect: Allow
|
|
Action:
|
|
- iam:PutRolePolicy
|
|
- iam:DeleteRolePolicy
|
|
Resource:
|
|
- !Sub arn:aws:iam::${AWS::AccountId}:role/*
|
|
- PolicyName: PolicyWrite
|
|
PolicyDocument:
|
|
Version: "2012-10-17"
|
|
Statement:
|
|
- Effect: Allow
|
|
Action:
|
|
- iam:CreatePolicyVersion
|
|
- iam:DeletePolicyVersion
|
|
Resource:
|
|
- !Sub arn:aws:iam::${AWS::AccountId}:policy/*
|
|
|
|
ManagedPolicyArns:
|
|
- arn:aws:iam::aws:policy/ReadOnlyAccess
|
|
- !Sub arn:aws:iam::${AWS::AccountId}:policy/CloudFormationWrite
|