Merge pull request #77 from tantona/tantonat/add-aws-service-operator…

…-iam-role iam role to be assumed by the aws-service-operator
amazon-archives · Sep 11, 2018 · 0067efc · 0067efc
2 parents 1f2e700 + 53d69ae
commit 0067efc
Showing 1 changed file with 55 additions and 0 deletions.
diff --git a/configs/aws-service-operator-role.yaml b/configs/aws-service-operator-role.yaml
@@ -0,0 +1,55 @@
+AWSTemplateFormatVersion: "2010-09-09"
+Description: "Role for aws-service-operator"
+
+Parameters:
+  WorkerArn:
+    Type: String
+    Description: The arn of the worker nodes used to assume this role
+
+Resources:
+  AWSServiceOperatorRole:
+    Type: AWS::IAM::Role
+    Properties:
+      RoleName: aws-service-operator
+      AssumeRolePolicyDocument: !Sub
+        - |
+          {
+            "Version": "2012-10-17",
+            "Statement": [
+              {
+                "Effect": "Allow",
+                "Principal": {
+                  "Service": "ec2.amazonaws.com"
+                },
+                "Action": "sts:AssumeRole"
+              },
+              {
+                "Effect": "Allow",
+                "Principal": {
+                  "AWS": "${WorkerArn}"
+                },
+                "Action": "sts:AssumeRole"
+              }
+            ]
+          }
+        - WorkerArn: !Ref WorkerArn
+      Policies:
+        - PolicyName: aws-service-operator
+          PolicyDocument: |
+            {
+              "Version": "2012-10-17",
+              "Statement": [
+                {
+                  "Effect": "Allow",
+                  "Action": [
+                    "sqs:*",
+                    "sns:*",
+                    "cloudformation:*",
+                    "ecr:*",
+                    "dynamodb:*",
+                    "s3:*"
+                  ],
+                  "Resource": "*"
+                }
+              ]
+            }