@@ -54,3 +54,111 @@ Resources:
5454 }
5555 ]
5656 }
57+
58+ GithubCIRoleOnlyUsEast1Keys :
59+ Type : " AWS::IAM::Role"
60+ Properties :
61+ RoleName : !Sub "GitHub-CI-${ProjectName}-Role-only-us-east-1-KMS-keys"
62+ Description : " Access KMS Resources for CI from GitHub. Only grants access to use keys in us-east-1 region. Created for use by CI while executing Custom Client Supplier Example."
63+ ManagedPolicyArns :
64+ - !Ref KMSUsageOnlyUsEast1Keys
65+ AssumeRolePolicyDocument : !Sub |
66+ {
67+ "Version": "2012-10-17",
68+ "Statement": [
69+ {
70+ "Effect": "Allow",
71+ "Principal": { "AWS": "arn:aws:iam::370957321024:role/GitHub-CI-ESDK-Dafny-Role-us-west-2" },
72+ "Action": "sts:AssumeRole"
73+ },
74+ {
75+ "Effect": "Allow",
76+ "Principal": { "Federated": "arn:aws:iam::${AWS::AccountId}:oidc-provider/token.actions.githubusercontent.com" },
77+ "Action": "sts:AssumeRoleWithWebIdentity",
78+ "Condition": {
79+ "StringEquals": {
80+ "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
81+ },
82+ "StringLike": {
83+ "token.actions.githubusercontent.com:sub": "repo:${GitHubRepo}:*"
84+ }
85+ }
86+ },
87+ {
88+ "Effect": "Allow",
89+ "Principal": { "AWS": "arn:aws:iam::${AWS::AccountId}:role/ToolsDevelopment" },
90+ "Action": "sts:AssumeRole"
91+ }
92+ ]
93+ }
94+
95+ GithubCIRoleOnlyEuWest1Keys :
96+ Type : " AWS::IAM::Role"
97+ Properties :
98+ RoleName : !Sub "GitHub-CI-${ProjectName}-Role-only-eu-west-1-KMS-keys"
99+ Description : " Access KMS Resources for CI from GitHub. Only grants access to use keys in eu-west-1 region. Created for use by CI while executing Custom Client Supplier Example."
100+ ManagedPolicyArns :
101+ - !Ref KMSUsageOnlyEuWest1Keys
102+ AssumeRolePolicyDocument : !Sub |
103+ {
104+ "Version": "2012-10-17",
105+ "Statement": [
106+ {
107+ "Effect": "Allow",
108+ "Principal": { "AWS": "arn:aws:iam::370957321024:role/GitHub-CI-ESDK-Dafny-Role-us-west-2" },
109+ "Action": "sts:AssumeRole"
110+ },
111+ {
112+ "Effect": "Allow",
113+ "Principal": { "Federated": "arn:aws:iam::${AWS::AccountId}:oidc-provider/token.actions.githubusercontent.com" },
114+ "Action": "sts:AssumeRoleWithWebIdentity",
115+ "Condition": {
116+ "StringEquals": {
117+ "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
118+ },
119+ "StringLike": {
120+ "token.actions.githubusercontent.com:sub": "repo:${GitHubRepo}:*"
121+ }
122+ }
123+ },
124+ {
125+ "Effect": "Allow",
126+ "Principal": { "AWS": "arn:aws:iam::${AWS::AccountId}:role/ToolsDevelopment" },
127+ "Action": "sts:AssumeRole"
128+ }
129+ ]
130+ }
131+
132+ KMSUsageOnlyUsEast1Keys :
133+ Type : " AWS::IAM::ManagedPolicy"
134+ Properties :
135+ ManagedPolicyName : !Sub "${ProjectName}-KMS-only-us-east-1"
136+ PolicyDocument :
137+ Version : " 2012-10-17"
138+ Statement :
139+ - Effect : Allow
140+ Action :
141+ - kms:Encrypt
142+ - kms:Decrypt
143+ - kms:GenerateDataKey
144+ - kms:GetPublicKey
145+ Resource :
146+ - !Sub " arn:aws:kms:us-east-1:658956600833:key/*"
147+ - !Sub " arn:aws:kms:us-east-1:658956600833:alias/*"
148+
149+ KMSUsageOnlyEuWest1Keys :
150+ Type : " AWS::IAM::ManagedPolicy"
151+ Properties :
152+ ManagedPolicyName : !Sub "${ProjectName}-KMS-only-eu-west-1"
153+ PolicyDocument :
154+ Version : " 2012-10-17"
155+ Statement :
156+ - Effect : Allow
157+ Action :
158+ - kms:Encrypt
159+ - kms:Decrypt
160+ - kms:GenerateDataKey
161+ - kms:GetPublicKey
162+ Resource :
163+ - !Sub " arn:aws:kms:eu-west-1:658956600833:key/*"
164+ - !Sub " arn:aws:kms:eu-west-1:658956600833:alias/*"
0 commit comments