fix: Give AppDeployer role permission to manage permission boundaries…

… and managed policies (#416) * feat: add permissions boundary to custom role serverless uses to manage CW log publishing * docs: updated description of managed policy * chore: added region to API Gateway resource instead of a wildcard * fix: Remove files that got accidentally committed with PR #402 * refactor: perm boundary for apiHandler workflow (#406) * refactor: apihandler and wfwloop perm boundary * refactor: restricting backend CW log actions * fix: removing compute permissions from main acct * fix: removing dependency between CFN resources Co-authored-by: Jeet <[email protected]> * refactor: handling main acct as member scenario (#409) * refactor: handling main acct as member scenario * refactor: restricting assume role policy * fix: grammar check * Fix malformed policy (#410) * fix: malformed policy fix * fix: legacy parsing CFN * ci: fix gh merge workflow to do ff-only (#407) * chore: fix gh merge workflow to do ff-only * Empty commit * Empty commit * Empty commit 2 * ci: add workaround for merge with branch protection * ci: fix repo name Co-authored-by: Jeet <[email protected]> Co-authored-by: Sanket Dharwadkar <[email protected]> * docs: removing team email from feedback (#413) * fix: new install backend resource dependency (#414) * fix: Give AppDeployer role permission to manage permission boundaries and managed policies * fix: Fix resources for CreatePolicy and PermissionBoundary actions Co-authored-by: Sanket Dharwadkar <[email protected]> Co-authored-by: Nestor Carvantes <[email protected]>
awslabs · Apr 1, 2021 · a8c1aae · a8c1aae
1 parent f8bcf69
commit a8c1aae
Showing 1 changed file with 9 additions and 0 deletions.
diff --git a/main/cicd/cicd-pipeline/config/infra/cloudformation.yml b/main/cicd/cicd-pipeline/config/infra/cloudformation.yml
@@ -234,6 +234,15 @@ Resources:
                   - iam:*TagRole*
                 Resource: '*'
                 Effect: Allow
+              - Action:
+                  - iam:CreatePolicy
+                Effect: Allow
+                Resource: !Sub 'arn:aws:iam::${AWS::AccountId}:policy/${self:custom.settings.namespace}-*'
+              - Action:
+                  - iam:PutRolePermissionsBoundary
+                  - iam:DeleteRolePermissionsBoundary
+                Effect: Allow
+                Resource: !Sub 'arn:aws:iam::${AWS::AccountId}:role/${self:custom.settings.namespace}-*'
 
   # Role that allows triggering the CodePipeline. This role is assumed by CloudWatch Events from the Source AWS Account
   # where the source code is located (i.e., the account containing the AWS CodeCommit repo with the source code)