AWSTemplateFormatVersion: '2010-09-09' Description: Iam Roles for account running a static S3 website with cloudfront (IAMAdmin, Admin, S3Admin/User) Metadata: License: magnet:?xt=urn:btih:1f739d935676111cfff4b4693e3816e664797050&dn=gpl-3.0.txt GPL-v3-or-Later Resources: IAMAdmin: Type: AWS::IAM::Role Properties: RoleName: IAMAdmin ManagedPolicyArns: - arn:aws:iam::aws:policy/AWSCloudFormationFullAccess - arn:aws:iam::aws:policy/IAMFullAccess - arn:aws:iam::aws:policy/ReadOnlyAccess AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: AWS: arn:aws:iam::212707113393:root Action: sts:AssumeRole - Effect: Allow Principal: Federated: - !Sub arn:aws:iam::${AWS::AccountId}:saml-provider/Google Action: sts:AssumeRoleWithSAML Condition: StringEquals: SAML:aud: https://signin.aws.amazon.com/saml Admin: Type: AWS::IAM::Role Properties: RoleName: Admin ManagedPolicyArns: - arn:aws:iam::aws:policy/ReadOnlyAccess - arn:aws:iam::aws:policy/AWSCloudFormationFullAccess - arn:aws:iam::aws:policy/AmazonS3FullAccess - arn:aws:iam::aws:policy/AmazonRoute53FullAccess - arn:aws:iam::aws:policy/CloudFrontFullAccess - arn:aws:iam::aws:policy/AWSCertificateManagerFullAccess AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: AWS: arn:aws:iam::212707113393:root Action: sts:AssumeRole - Effect: Allow Principal: Federated: - !Sub arn:aws:iam::${AWS::AccountId}:saml-provider/Google Action: sts:AssumeRoleWithSAML Condition: StringEquals: SAML:aud: https://signin.aws.amazon.com/saml User: Type: AWS::IAM::Role Properties: RoleName: User ManagedPolicyArns: - arn:aws:iam::aws:policy/ReadOnlyAccess - !Ref UserPolicy AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: AWS: arn:aws:iam::212707113393:root Action: sts:AssumeRole - Effect: Allow Principal: Federated: - !Sub arn:aws:iam::${AWS::AccountId}:saml-provider/Google Action: sts:AssumeRoleWithSAML Condition: StringEquals: SAML:aud: https://signin.aws.amazon.com/saml UserPolicy: Type: AWS::IAM::ManagedPolicy Properties: Description: Grants Access to Created/Update/Delete S3 Objects & Clear Cloudfront caches PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - s3:DeleteObject - s3:PutObject Resource: 'arn:aws:s3:::*/*' - Effect: Allow Action: cloudfront:CreateInvalidation Resource: '*'