【AWS】CloudFormation ~ IAM ~

■ はじめに

https://dk521123.hatenablog.com/entry/2022/05/25/220037 https://dk521123.hatenablog.com/entry/2022/05/26/112627

の続き。

今回は、CloudFormation で IAM を作ってみる。

目次

【1】IAM Role
 1)RoleName
 2)AssumeRolePolicyDocument
 3)Policies
【2】IAM Policy
【3】サンプル

【1】IAM Role

* 「Type: AWS::IAM::Role」を使う

https://docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html

1)RoleName

* Role名を指定する

2)AssumeRolePolicyDocument

* 各ロール毎に、第三者に対し、明示的に引き受けを許可する設定
 => AssumeRole に関する詳細は、以下の関連記事を参照のこと

https://dk521123.hatenablog.com/entry/2022/05/23/000000

イメージ

Resources:
  DemoRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Principal:
            AWS: arn:aws:iam::123456780123:root
          Action: sts:AssumeRole
          # 外部ID「ExternalId123」と一致したらAssumeRoleする
          Condition:
            StringEquals:
              sts:ExternalId: "ExternalId123"

3)Policies

* IAM Policy を指定する

【2】IAM Policy

* 「Type: AWS::IAM::Policy」を使う
もしくは
* 「【1】」の「3)Policies」で指定

https://docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html

【3】サンプル

AWSTemplateFormatVersion: "2010-09-09"
Description: This is a sample for IAM role

Resources:
  DemoIamRole:
    Type: "AWS::IAM::Role"
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - !Sub "ec2.amazonaws.com"
            Action:
              - "sts:AssumeRole"
      Path: "/"
      Policies:
        - PolicyName: aws-policy-for-ec2
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action:
                  - "ec2:Describe*"
                  - "ec2:CreateTags"
                  - "s3:PutObject"
                  - "s3:ListBucket"
                  - "s3:GetObject"
                  - "s3:GetEncryptionConfiguration"
                  - "ssm:UpdateInstanceInformation"
                  - "ssmmessages:CreateControlChannel"
                  - "ssmmessages:CreateDataChannel"
                  - "ssmmessages:OpenControlChannel"
                  - "ssmmessages:OpenDataChannel"
                Resource: "*"

## ------------------------------------------------------------#
## Output Parameters
## ------------------------------------------------------------#
Outputs:
  DemoIamRole:
    Value: !Ref DemoIamRole
    Export:
      Name: aws-ec2-role

関連記事

CloudFormation ~ 入門編 ~
https://dk521123.hatenablog.com/entry/2021/10/26/224812
CloudFormation ~ 基本編 ~
https://dk521123.hatenablog.com/entry/2021/12/01/170326
CloudFormation ~ 組み込み関数 ~
https://dk521123.hatenablog.com/entry/2021/12/04/202519
CloudFormation ~ 疑似パラメータ ~
https://dk521123.hatenablog.com/entry/2021/12/05/134313
CloudFormation ~ DeletionPolicy 属性 ~
https://dk521123.hatenablog.com/entry/2021/12/27/211328
CloudFormation ~ S3 ~ https://dk521123.hatenablog.com/entry/2022/05/25/220037
CloudFormation ~ KMS ~ https://dk521123.hatenablog.com/entry/2022/05/26/112627
CloudFormation で Github/CodePipeline/CodeBuild を構築する
https://dk521123.hatenablog.com/entry/2021/12/26/155956
IAM ~ クロスアカウント ~
https://dk521123.hatenablog.com/entry/2022/05/23/000000
AWS認定 ~ アソシエイト/ソリューションアーキテクト ~
https://dk521123.hatenablog.com/entry/2022/03/01/000000