roles.cf 2.89 KB
{
    "AWSTemplateFormatVersion": "2010-09-09",
    "Resources": {
        "ExecRole": {
            "Type": "AWS::IAM::Role",
            "Properties": {
                "AssumeRolePolicyDocument": {
                    "Version" : "2012-10-17",
                    "Statement": [ {
                        "Effect": "Allow",
                        "Principal": {
                            "Service": [ "lambda.amazonaws.com" ]
                        },
                        "Action": [ "sts:AssumeRole" ]
                    } ]
                }
            }
        },
        "ExecRolePolicies": {
            "Type": "AWS::IAM::Policy",
            "Properties": {
                "PolicyName": "ExecRolePolicy",
                "PolicyDocument": {
                    "Version" : "2012-10-17",
                    "Statement": [ {
                        "Effect": "Allow",
                        "Action": [
                            "logs:*"
                        ],
                        "Resource": "arn:aws:logs:*:*:*"
                    },
                    {
                        "Effect": "Allow",
                        "Action": [
                            "s3:GetObject",
                            "s3:PutObject"
                        ],
                        "Resource": [
                            "arn:aws:s3:::*"
                        ]
                    } ]
                },
                "Roles": [ { "Ref": "ExecRole" } ]
            }
        },
        "InvokeRole": {
            "Type": "AWS::IAM::Role",
            "Properties": {
                "AssumeRolePolicyDocument": {
                    "Version" : "2012-10-17",
                    "Statement": [ {
                        "Effect": "Allow",
                        "Principal": {
                            "Service": [ "s3.amazonaws.com" ]
                        },
                        "Action": [ "sts:AssumeRole" ],
                        "Condition": {
                            "ArnLike": {
                                "sts:ExternalId": "arn:aws:s3:::*"
                            }
                        }
                    } ]
                }
            }
        },
        "InvokeRolePolicies": {
            "Type": "AWS::IAM::Policy",
            "Properties": {
                "PolicyName": "ExecRolePolicy",
                "PolicyDocument": {
                    "Version" : "2012-10-17",
                    "Statement": [
                        {
                            "Effect": "Allow",
                            "Resource": [
                                "*"
                            ],
                            "Action": [
                                "lambda:InvokeFunction"
                            ]
                        }
                    ]
                },
                "Roles": [ { "Ref": "InvokeRole" } ]
            }
        }
    }
}