Closed bakharzy closed 4 months ago
Hi @bakharzy ,
I hope this helps you. Obviously you can strip out the github actions references
Role:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Action: sts:AssumeRoleWithWebIdentity
Principal:
Federated: !If
- CreateOIDCProvider
- !Ref GithubOidc
- !Ref OIDCProviderArn
Condition:
StringLike:
token.actions.githubusercontent.com:sub: !Sub repo:${GithubRepository}:*
ManagedPolicyArns:
# Used for Github PAT
- arn:aws:iam::aws:policy/SecretsManagerReadWrite
Policies:
- PolicyName: LZA
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- s3:CreateBucket
- s3:DeleteBucket
- s3:SetBucketEncryption
- s3:DeleteBucketPolicy
- s3:Put*
- s3:Object*
- s3:Get*
- s3:List*
- s3:Set*
Resource:
- arn:aws:s3:::aws*
- Sid: PackageDeploy
Effect: Allow
Action:
- iam:TagRole
- iam:UntagRole
Resource: "*"
- Sid: Codepipeline
Effect: Allow
Action: codepipeline:*
Resource: !Sub arn:aws:codepipeline:${AWS::Region}:${AWS::AccountId}:*
- Effect: Allow
Action:
- logs:*
Resource:
- !Sub arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/AWSAccelerator*
- Effect: Allow
Action:
- events:PutRule
- events:DescribeRule
- events:DeleteRule
- events:RemoveTargets
- events:PutTargets
Resource: !Sub arn:aws:events:${AWS::Region}:${AWS::AccountId}:rule/AWSAccelerator*
- Effect: Allow
Action:
- codebuild:*
Resource:
- !Sub arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/AWSAccelerator*
- Effect: Allow
Action:
- codecommit:*
Resource:
- !Sub arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:*
- Sid: PackageDeploySsm
Effect: Allow
Action:
- ssm:*
Resource:
- !Sub arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/accelerator*
- Effect: Allow
Action:
- lambda:GetFunction
- lambda:CreateFunction
- lambda:DeleteFunction
- lambda:GetFunctionConfiguration
- lambda:AddPermission
- lambda:RemovePermission
- lambda:InvokeFunction
- lambda:UpdateFunctionCode
- lambda:UpdateFunctionConfiguration
- lambda:ListTags
- lambda:TagResource
- lambda:UntagResource
Resource:
- !Sub arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:AWSAccelerator*
- Effect: Allow
Action:
- kms:*
Resource:
- "*"
- Effect: Allow
Action:
- cloudformation:*
Resource:
- !Sub arn:aws:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/AWSAccelerator-*
- !Sub arn:aws:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/github-permissions*
- !Sub arn:aws:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/github-pat*
- !Sub arn:aws:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/control-tower-kms*
- !Sub arn:aws:cloudformation:${AWS::Region}:aws:transform/*
- Effect: Allow
Action:
- iam:GetOpenIDConnectProvider
- iam:ListOpenIDConnectProviders
- iam:ListOpenIDConnectProviderTags
- iam:TagOpenIDConnectProvider
- iam:UntagOpenIDConnectProvider
- iam:AddClientIDToOpenIDConnectProvider
- iam:RemoveClientIDFromOpenIDConnectProvider
- iam:UpdateOpenIDConnectProviderThumbprint
Resource: !Sub arn:aws:iam::${AWS::AccountId}:oidc-provider/token.actions.githubusercontent.com
- Effect: Allow
Action:
- iam:UpdateAssumeRolePolicy
- iam:AddRoleToInstanceProfile
- iam:AttachRolePolicy
- iam:CreateInstanceProfile
- iam:CreateRole
- iam:Get*
- iam:PassRole
- iam:CreatePolicy
- iam:DeleteInstanceProfile
- iam:DeleteRole
- iam:DetachRolePolicy
- iam:RemoveRoleFromInstanceProfile
- iam:UpdateRole
- iam:DeleteRolePolicy
- iam:PutRolePolicy
- iam:CreatePolicyVersion # ManagedPolicy
- iam:DeletePolicyVersion # ManagedPolicy
- iam:DeletePolicy # ManagedPolicy
- iam:ListPolicyVersions
- iam:TagRole
- iam:UntagRole
- iam:UpdateAssumeRolePolicy
Resource:
- !Sub arn:aws:iam::${AWS::AccountId}:role/AWSAccelerator*
- !Sub arn:aws:iam::${AWS::AccountId}:policy/AWSAccelerator*
- !Sub arn:aws:iam::${AWS::AccountId}:role/github-permissions*
- !Sub arn:aws:iam::${AWS::AccountId}:policy/github-permissions*
Is your feature request related to a problem? Please describe.
I am looking into creating a service role for CloudFormation to create/update the "AWSAccelerator-InstallerStack.template". The service role is assumed by CloudFormation and has necessary permissions to run a stack.
Service role: https://docs.aws.amazon.com/prescriptive-guidance/latest/least-privilege-cloudformation/service-roles-for-cloudformation.html
Describe the feature you'd like I want to follow the least privilege principle. Therefore, I would need the permissions that the CloudFormation require to run the template. Where can I find a list of those permissions to use on my service role?