You upload the template when you create the StackSet.
AWSTemplateFormatVersion: '2010-09-09'
Description: Oomnitza Direct Role Assumption – Child account read-only role
Parameters:
PrincipalArn:
Type: String
Description: Oomnitza instance role ARN that will assume this role
ExternalId:
Type: String
Description: External ID provided by Oomnitza Credentials
CustomerRoleName:
Type: String
Default: OomAccessRole
Description: Must match the Cross-Account Role Name shown in Oomnitza (Step 1)
Resources:
OomnitzaReadOnlyPolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
ManagedPolicyName: !Sub '${CustomerRoleName}-Policy'
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: ReadOnlyDescribe
Effect: Allow
Action:
- ec2:Describe*
- rds:Describe*
- redshift:Describe*
- s3:List*
- iam:List*
- workspaces:Describe*
- organizations:ListAccounts
Resource: '*'
OomnitzaChildRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Ref CustomerRoleName
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
AWS: !Ref PrincipalArn
Action: sts:AssumeRole
Condition:
StringEquals:
sts:ExternalId: !Ref ExternalId
ManagedPolicyArns:
- !Ref OomnitzaReadOnlyPolicy
Outputs:
ChildRoleArn:
Description: ARN of the role Oomnitza will assume
Value: !GetAtt OomnitzaChildRole.Arn
Comments
0 comments
Please sign in to leave a comment.