95 lines
3.1 KiB
YAML
95 lines
3.1 KiB
YAML
|
AWSTemplateFormatVersion: '2010-09-09'
|
||
|
Description: Iam Roles for account running a static S3 website with cloudfront (IAMAdmin, Admin, S3Admin/User)
|
||
|
Metadata:
|
||
|
License: magnet:?xt=urn:btih:1f739d935676111cfff4b4693e3816e664797050&dn=gpl-3.0.txt GPL-v3-or-Later
|
||
|
|
||
|
Resources:
|
||
|
IAMAdmin:
|
||
|
Type: AWS::IAM::Role
|
||
|
Properties:
|
||
|
RoleName: IAMAdmin
|
||
|
ManagedPolicyArns:
|
||
|
- arn:aws:iam::aws:policy/AWSCloudFormationFullAccess
|
||
|
- arn:aws:iam::aws:policy/IAMFullAccess
|
||
|
- arn:aws:iam::aws:policy/ReadOnlyAccess
|
||
|
AssumeRolePolicyDocument:
|
||
|
Version: '2012-10-17'
|
||
|
Statement:
|
||
|
- Effect: Allow
|
||
|
Principal:
|
||
|
AWS: arn:aws:iam::212707113393:root
|
||
|
Action: sts:AssumeRole
|
||
|
- Effect: Allow
|
||
|
Principal:
|
||
|
Federated:
|
||
|
- !Sub arn:aws:iam::${AWS::AccountId}:saml-provider/Google
|
||
|
Action: sts:AssumeRoleWithSAML
|
||
|
Condition:
|
||
|
StringEquals:
|
||
|
SAML:aud: https://signin.aws.amazon.com/saml
|
||
|
Admin:
|
||
|
Type: AWS::IAM::Role
|
||
|
Properties:
|
||
|
RoleName: Admin
|
||
|
ManagedPolicyArns:
|
||
|
- arn:aws:iam::aws:policy/ReadOnlyAccess
|
||
|
- arn:aws:iam::aws:policy/AWSCloudFormationFullAccess
|
||
|
- arn:aws:iam::aws:policy/AmazonS3FullAccess
|
||
|
- arn:aws:iam::aws:policy/AmazonRoute53FullAccess
|
||
|
- arn:aws:iam::aws:policy/CloudFrontFullAccess
|
||
|
- arn:aws:iam::aws:policy/AWSCertificateManagerFullAccess
|
||
|
AssumeRolePolicyDocument:
|
||
|
Version: '2012-10-17'
|
||
|
Statement:
|
||
|
- Effect: Allow
|
||
|
Principal:
|
||
|
AWS: arn:aws:iam::212707113393:root
|
||
|
Action: sts:AssumeRole
|
||
|
- Effect: Allow
|
||
|
Principal:
|
||
|
Federated:
|
||
|
- !Sub arn:aws:iam::${AWS::AccountId}:saml-provider/Google
|
||
|
Action: sts:AssumeRoleWithSAML
|
||
|
Condition:
|
||
|
StringEquals:
|
||
|
SAML:aud: https://signin.aws.amazon.com/saml
|
||
|
User:
|
||
|
Type: AWS::IAM::Role
|
||
|
Properties:
|
||
|
RoleName: User
|
||
|
ManagedPolicyArns:
|
||
|
- arn:aws:iam::aws:policy/ReadOnlyAccess
|
||
|
- !Ref UserPolicy
|
||
|
AssumeRolePolicyDocument:
|
||
|
Version: '2012-10-17'
|
||
|
Statement:
|
||
|
- Effect: Allow
|
||
|
Principal:
|
||
|
AWS: arn:aws:iam::212707113393:root
|
||
|
Action: sts:AssumeRole
|
||
|
- Effect: Allow
|
||
|
Principal:
|
||
|
Federated:
|
||
|
- !Sub arn:aws:iam::${AWS::AccountId}:saml-provider/Google
|
||
|
Action: sts:AssumeRoleWithSAML
|
||
|
Condition:
|
||
|
StringEquals:
|
||
|
SAML:aud: https://signin.aws.amazon.com/saml
|
||
|
|
||
|
UserPolicy:
|
||
|
Type: AWS::IAM::ManagedPolicy
|
||
|
Properties:
|
||
|
Description: Grants Access to Created/Update/Delete S3 Objects & Clear Cloudfront caches
|
||
|
PolicyDocument:
|
||
|
Version: 2012-10-17
|
||
|
Statement:
|
||
|
- Effect: Allow
|
||
|
Action:
|
||
|
- s3:DeleteObject
|
||
|
- s3:PutObject
|
||
|
Resource: 'arn:aws:s3:::*/*'
|
||
|
|
||
|
- Effect: Allow
|
||
|
Action: cloudfront:CreateInvalidation
|
||
|
Resource: '*'
|