■ はじめに
https://dk521123.hatenablog.com/entry/2022/05/25/220037 https://dk521123.hatenablog.com/entry/2022/05/26/112627
の続き。 今回は、CloudFormation で IAM を作ってみる。
目次
【1】IAM Role 1)RoleName 2)AssumeRolePolicyDocument 3)Policies 【2】IAM Policy 【3】サンプル
【1】IAM Role
* 「Type: AWS::IAM::Role」を使う
https://docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html
1)RoleName
* Role名を指定する
2)AssumeRolePolicyDocument
* 各ロール毎に、第三者に対し、明示的に引き受けを許可する設定 => AssumeRole に関する詳細は、以下の関連記事を参照のこと
https://dk521123.hatenablog.com/entry/2022/05/23/000000
イメージ
Resources: DemoRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: AWS: arn:aws:iam::123456780123:root Action: sts:AssumeRole # 外部ID「ExternalId123」と一致したらAssumeRoleする Condition: StringEquals: sts:ExternalId: "ExternalId123"
3)Policies
* IAM Policy を指定する
【2】IAM Policy
* 「Type: AWS::IAM::Policy」を使う もしくは * 「【1】」の「3)Policies」で指定
https://docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html
【3】サンプル
AWSTemplateFormatVersion: "2010-09-09" Description: This is a sample for IAM role Resources: DemoIamRole: Type: "AWS::IAM::Role" Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - !Sub "ec2.amazonaws.com" Action: - "sts:AssumeRole" Path: "/" Policies: - PolicyName: aws-policy-for-ec2 PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - "ec2:Describe*" - "ec2:CreateTags" - "s3:PutObject" - "s3:ListBucket" - "s3:GetObject" - "s3:GetEncryptionConfiguration" - "ssm:UpdateInstanceInformation" - "ssmmessages:CreateControlChannel" - "ssmmessages:CreateDataChannel" - "ssmmessages:OpenControlChannel" - "ssmmessages:OpenDataChannel" Resource: "*" ## ------------------------------------------------------------# ## Output Parameters ## ------------------------------------------------------------# Outputs: DemoIamRole: Value: !Ref DemoIamRole Export: Name: aws-ec2-role
関連記事
CloudFormation ~ 入門編 ~
https://dk521123.hatenablog.com/entry/2021/10/26/224812
CloudFormation ~ 基本編 ~
https://dk521123.hatenablog.com/entry/2021/12/01/170326
CloudFormation ~ 組み込み関数 ~
https://dk521123.hatenablog.com/entry/2021/12/04/202519
CloudFormation ~ 疑似パラメータ ~
https://dk521123.hatenablog.com/entry/2021/12/05/134313
CloudFormation ~ DeletionPolicy 属性 ~
https://dk521123.hatenablog.com/entry/2021/12/27/211328
CloudFormation ~ S3 ~
https://dk521123.hatenablog.com/entry/2022/05/25/220037
CloudFormation ~ KMS ~
https://dk521123.hatenablog.com/entry/2022/05/26/112627
CloudFormation で Github/CodePipeline/CodeBuild を構築する
https://dk521123.hatenablog.com/entry/2021/12/26/155956
IAM ~ クロスアカウント ~
https://dk521123.hatenablog.com/entry/2022/05/23/000000
AWS認定 ~ アソシエイト/ソリューションアーキテクト ~
https://dk521123.hatenablog.com/entry/2022/03/01/000000