Created
January 23, 2022 23:12
-
-
Save zenzora/af20d04871601fe2314007d70426993b to your computer and use it in GitHub Desktop.
Sample
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| AWSTemplateFormatVersion: '2010-09-09' | |
| Description: Setup IAM For Github Actions | |
| Parameters: | |
| GithubRepo: | |
| Type: String | |
| Description: In the form of organization/repository | |
| Resources: | |
| GithubIdentityProvider: | |
| Type: AWS::IAM::OIDCProvider | |
| Properties: | |
| ClientIdList: | |
| - sts.amazonaws.com | |
| ThumbprintList: | |
| - 6938fd4d98bab03faadb97b34396831e3780aea1 | |
| Url: https://token.actions.githubusercontent.com | |
| GithubActionsRole: | |
| Type: AWS::IAM::Role | |
| Properties: | |
| AssumeRolePolicyDocument: | |
| Version: "2012-10-17" | |
| Statement: | |
| - Effect: Allow | |
| Principal: | |
| Federated: !Ref GithubIdentityProvider | |
| Action: | |
| - 'sts:AssumeRoleWithWebIdentity' | |
| Condition: | |
| StringLike: | |
| "token.actions.githubusercontent.com:sub": !Sub "repo:${GithubRepo}:*" | |
| Description: Access to deploy | |
| Policies: | |
| - PolicyName: GHActionsDeploy | |
| PolicyDocument: | |
| Version: '2012-10-17' | |
| Statement: | |
| - Effect: Allow | |
| Resource: | |
| - "*" | |
| Action: | |
| - ecr:GetAuthorizationToken | |
| - Effect: Allow | |
| Resource: | |
| - "*" | |
| Action: | |
| - ecr:BatchGetImage | |
| - ecr:BatchCheckLayerAvailability | |
| - ecr:CompleteLayerUpload | |
| - ecr:GetDownloadUrlForLayer | |
| - ecr:InitiateLayerUpload | |
| - ecr:PutImage | |
| - ecr:UploadLayerPart | |
| Resource: | |
| - "*" | |
| RoleName: GithubActions |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment