-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathrole-github-federation.yml
134 lines (121 loc) · 4.1 KB
/
role-github-federation.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
---
AWSTemplateFormatVersion: "2010-09-09"
Description: Github Actions Federated Roles
Parameters:
GitHubOrganization:
Type: String
Description: This is the root organization where repos are stored
Default: 'rosswickman'
RepoName:
Type: String
Description: The repo(s) these roles will have access to
Default: 'aws-actions-federation'
RoleName:
Type: String
Description: Unique identifier to deploy multiple role groups for different org/repo combinations
Default: "GitHub-Actions"
##Conditions:
## Assume Policy Condition Strings
#vstoken.actions.githubusercontent.com:sub: !Sub repo:${GitHubOrganization}/${RepoName}:* ## Specific Repo
#vstoken.actions.githubusercontent.com:sub: !Sub repo:${GitHubOrganization}/* ## Any Branch / Any Repo
#vstoken.actions.githubusercontent.com:sub: !Sub repo:${GitHubOrganization}/*:ref:refs/heads/main ## Specific Branch / Any Repo
Resources:
GitHubProvider:
Type: AWS::IAM::OIDCProvider
Properties:
Url: https://vstoken.actions.githubusercontent.com
ThumbprintList: [a031c46782e6e6c662c2c87c76da9aa62ccabd8e]
Tags:
- Key: "Name"
Value: !Sub ${RoleName}-Provider
ClientIdList:
- !Sub https://github.com/${GitHubOrganization}/${RepoName}
ReadOnlyRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub ${RoleName}-ReadOnly
ManagedPolicyArns: [arn:aws:iam::aws:policy/ReadOnlyAccess]
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Action: sts:AssumeRoleWithWebIdentity
Principal:
Federated: !Ref GitHubProvider
Condition:
StringLike:
vstoken.actions.githubusercontent.com:sub: !Sub repo:${GitHubOrganization}/${RepoName}:*
DeliverRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub ${RoleName}-Deliver
ManagedPolicyArns: [arn:aws:iam::aws:policy/ReadOnlyAccess]
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Action: sts:AssumeRoleWithWebIdentity
Principal:
Federated: !Ref GitHubProvider
Condition:
StringLike:
vstoken.actions.githubusercontent.com:sub: !Sub repo:${GitHubOrganization}/${RepoName}:*
Policies:
-
PolicyName: S3-Allow
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: S3Actions
Effect: Allow
Action:
- s3:ListBucket
- s3:GetObject
- s3:PutObject
Resource:
- 'arn:aws:s3:::*'
- 'arn:aws:s3:::*/*'
DeployRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub ${RoleName}-Deploy
ManagedPolicyArns: [arn:aws:iam::aws:policy/ReadOnlyAccess]
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Action: sts:AssumeRoleWithWebIdentity
Principal:
Federated: !Ref GitHubProvider
Condition:
StringLike:
vstoken.actions.githubusercontent.com:sub: !Sub repo:${GitHubOrganization}/${RepoName}:*
Policies:
-
PolicyName: S3-Allow
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: S3Actions
Effect: Allow
Action:
- s3:ListBucket
- s3:GetObject
Resource:
- 'arn:aws:s3:::*'
- 'arn:aws:s3:::*/*'
-
PolicyName: CFN-Allow
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: CFNAllowActions
Effect: Allow
Action:
- cloudformation:*
Resource:
- !Sub "arn:aws:cloudformation:${AWS::Region}:${AWS::AccountId}:*/*/*"
Outputs:
ReadOnlyRole:
Value: !GetAtt ReadOnlyRole.Arn
DeliverRole:
Value: !GetAtt DeliverRole.Arn
DeployRole:
Value: !GetAtt DeployRole.Arn