Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- WebAppRole:
- Type: "AWS::IAM::Role"
- Properties:
- AssumeRolePolicyDocument:
- Version: "2012-10-17"
- Statement:
- - Effect: "Allow"
- Action:
- - "sts:AssumeRole"
- Principal:
- AWS:
- - !Sub
- - "arn:aws:iam::${AccountNumber}:user/<ci_user>"
- - { AccountNumber: !FindInMap [ AccountNumberMap, !Ref Env, AccountNumber ] }
- ......
- ......
- ......
- BaseCloudFormationPolicy:
- Type: "AWS::IAM::Policy"
- Properties:
- PolicyName: <ci_policy_name>
- Users:
- - !Ref <ci_user> ## attach to our ci_user
- PolicyDocument:
- Version: "2012-10-17"
- Statement:
- - Effect: "Allow"
- ...
- ...
- - "cloudformation:ExecuteChangeSet"
- - "cloudformation:DescribeStacks"
- Resource:
- - !Sub ## the user can only execute the specific stacks we say
- - "arn:aws:cloudformation:${Region}:${AccountNumber}:stack/<web-stack>/*"
- - { AccountNumber: !FindInMap [ AccountNumberMap, !Ref Env, AccountNumber ], Region: 'AWS::Region' }
- ...
- ...
- - Effect: "Allow"
- Action:
- - "sts:AssumeRole" ## we actually assume this role instead of pass. This is because we use
- ## s3 sync, instead of cloudformation cli & it doens't support --role-arn, only --profile
- Resource:
- - !Sub
- - "arn:aws:iam::${AccountNumber}:role/webapp_deploy_role"
- - { AccountNumber: !FindInMap [ AccountNumberMap, !Ref Env, AccountNumber ] }
Add Comment
Please, Sign In to add comment
