security-and-compliance-account/stacks/pipeline_stack/cdk_stack.py [104:182]: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - code_pipeline_role = iam.Role( self, 'CodePipelineRole', assumed_by = iam.ServicePrincipal('codepipeline.amazonaws.com') ) # IAM Policy for CodePipeline code_pipeline_policy = iam.Policy( self, 'CodePipelinePolicy', roles = [ code_pipeline_role ], statements = [ iam.PolicyStatement( sid = 'KmsAllowKeyUsage', actions = [ 'kms:DescribeKey', 'kms:GetKeyPolicy', 'kms:List*', 'kms:Encrypt', 'kms:Decrypt', 'kms:ReEncrypt*', 'kms:Generate*' ], effect = iam.Effect.ALLOW, resources = [ pipeline_encryption_key.key_arn ] ), iam.PolicyStatement( sid = 'CodeCommitRepoAccess', actions = [ 'codecommit:GetBranch', 'codecommit:GetCommit', 'codecommit:UploadArchive', 'codecommit:GetUploadArchiveStatus', 'codecommit:CancelUploadArchive' ], effect = iam.Effect.ALLOW, resources = [ source_repo.repository_arn ] ), iam.PolicyStatement( sid = 'PipelineBucketAccess', actions = [ 's3:GetBucket*', 's3:ListBucket*' ], effect = iam.Effect.ALLOW, resources = [ pipeline_bucket.bucket_arn ] ), iam.PolicyStatement( sid = 'PipelineBucketObjectAccess', actions = [ 's3:AbortMultipartUpload', 's3:GetObject*', 's3:PutObject*', 's3:DeleteObject*', 's3:RestoreObject', 's3:ListMultipartUploadParts' ], effect = iam.Effect.ALLOW, resources = [ pipeline_bucket.bucket_arn+'/*' ] ), iam.PolicyStatement( sid = 'PassRoleAccess', actions = [ 'iam:PassRole' ], effect = iam.Effect.ALLOW, resources = ['*'] ), iam.PolicyStatement( - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - workload-account/stacks/pipeline_stack/cdk_stack.py [121:199]: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - code_pipeline_role = iam.Role( self, 'CodePipelineRole', assumed_by = iam.ServicePrincipal('codepipeline.amazonaws.com') ) # IAM Policy for CodePipeline code_pipeline_policy = iam.Policy( self, 'CodePipelinePolicy', roles = [ code_pipeline_role ], statements = [ iam.PolicyStatement( sid = 'KmsAllowKeyUsage', actions = [ 'kms:DescribeKey', 'kms:GetKeyPolicy', 'kms:List*', 'kms:Encrypt', 'kms:Decrypt', 'kms:ReEncrypt*', 'kms:Generate*' ], effect = iam.Effect.ALLOW, resources = [ pipeline_encryption_key.key_arn ] ), iam.PolicyStatement( sid = 'CodeCommitRepoAccess', actions = [ 'codecommit:GetBranch', 'codecommit:GetCommit', 'codecommit:UploadArchive', 'codecommit:GetUploadArchiveStatus', 'codecommit:CancelUploadArchive' ], effect = iam.Effect.ALLOW, resources = [ source_repo.repository_arn ] ), iam.PolicyStatement( sid = 'PipelineBucketAccess', actions = [ 's3:GetBucket*', 's3:ListBucket*' ], effect = iam.Effect.ALLOW, resources = [ pipeline_bucket.bucket_arn ] ), iam.PolicyStatement( sid = 'PipelineBucketObjectAccess', actions = [ 's3:AbortMultipartUpload', 's3:GetObject*', 's3:PutObject*', 's3:DeleteObject*', 's3:RestoreObject', 's3:ListMultipartUploadParts' ], effect = iam.Effect.ALLOW, resources = [ pipeline_bucket.bucket_arn+'/*' ] ), iam.PolicyStatement( sid = 'PassRoleAccess', actions = [ 'iam:PassRole' ], effect = iam.Effect.ALLOW, resources = ['*'] ), iam.PolicyStatement( - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -