Merge pull request #77 from tantona/tantonat/add-aws-service-operator-iam-role

tantona · web-flow · commit 0067efc1b773 · 2018-09-11T17:08:11.000-05:00
iam role to be assumed by the aws-service-operator
diff --git a/configs/aws-service-operator-role.yaml b/configs/aws-service-operator-role.yaml
@@ -0,0 +1,55 @@
+AWSTemplateFormatVersion: "2010-09-09"
+Description: "Role for aws-service-operator"
+
+Parameters:
+  WorkerArn:
+    Type: String
+    Description: The arn of the worker nodes used to assume this role
+
+Resources:
+  AWSServiceOperatorRole:
+    Type: AWS::IAM::Role
+    Properties:
+      RoleName: aws-service-operator
+      AssumeRolePolicyDocument: !Sub
+        - |
+          {
+            "Version": "2012-10-17",
+            "Statement": [
+              {
+                "Effect": "Allow",
+                "Principal": {
+                  "Service": "ec2.amazonaws.com"
+                },
+                "Action": "sts:AssumeRole"
+              },
+              {
+                "Effect": "Allow",
+                "Principal": {
+                  "AWS": "${WorkerArn}"
+                },
+                "Action": "sts:AssumeRole"
+              }
+            ]
+          }
+        - WorkerArn: !Ref WorkerArn
+      Policies:
+        - PolicyName: aws-service-operator
+          PolicyDocument: |
+            {
+              "Version": "2012-10-17",
+              "Statement": [
+                {
+                  "Effect": "Allow",
+                  "Action": [
+                    "sqs:*",
+                    "sns:*",
+                    "cloudformation:*",
+                    "ecr:*",
+                    "dynamodb:*",
+                    "s3:*"
+                  ],
+                  "Resource": "*"
+                }
+              ]
+            }
