in cdk-resources/lib/cdk-resources-stack.ts [94:220]
createALBIamRole(){
const federatedPrincipal = new iam.FederatedPrincipal(
config.eksOIDCProvider, {
}, "sts:AssumeRoleWithWebIdentity")
this.albIamRole=new iam.Role(this, 'ALBRole', {
assumedBy:federatedPrincipal,
roleName:"AlbRoleName"
});
// need to Change later limited policy for teh Best practice
//this.albIamRole.addManagedPolicy(iam.ManagedPolicy.fromAwsManagedPolicyName('AdministratorAccess'))
this.albIamRole.addToPolicy(new iam.PolicyStatement({
actions: [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateSecurityGroup",
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:DeleteSecurityGroup",
"ec2:DescribeAccountAttributes",
"ec2:DescribeAddresses",
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:DescribeInternetGateways",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeTags",
"ec2:DescribeVpcs",
"ec2:ModifyInstanceAttribute",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:RevokeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:RevokeSecurityGroupEgress",
"ec2:ModifySecurityGroupRules",
"ec2:UpdateSecurityGroupRuleDescriptionsIngress",
"ec2:UpdateSecurityGroupRuleDescriptionsEgress",
"elasticloadbalancing:AddListenerCertificates",
"elasticloadbalancing:AddTags",
"elasticloadbalancing:CreateListener",
"elasticloadbalancing:CreateLoadBalancer",
"elasticloadbalancing:CreateRule",
"elasticloadbalancing:CreateTargetGroup",
"elasticloadbalancing:DeleteListener",
"elasticloadbalancing:DeleteLoadBalancer",
"elasticloadbalancing:DeleteRule",
"elasticloadbalancing:DeleteTargetGroup",
"elasticloadbalancing:DeregisterTargets",
"elasticloadbalancing:DescribeListenerCertificates",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeRules",
"elasticloadbalancing:DescribeSSLPolicies",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetGroupAttributes",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:ModifyListener",
"elasticloadbalancing:ModifyLoadBalancerAttributes",
"elasticloadbalancing:ModifyRule",
"elasticloadbalancing:ModifyTargetGroup",
"elasticloadbalancing:ModifyTargetGroupAttributes",
"elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:RemoveListenerCertificates",
"elasticloadbalancing:RemoveTags",
"elasticloadbalancing:SetIpAddressType",
"elasticloadbalancing:SetSecurityGroups",
"elasticloadbalancing:SetSubnets",
"elasticloadbalancing:SetWebACL",
"iam:CreateServiceLinkedRole",
"iam:GetServerCertificate",
"iam:ListServerCertificates",
"cognito-idp:DescribeUserPoolClient",
"waf-regional:GetWebACLForResource",
"waf-regional:GetWebACL",
"waf-regional:AssociateWebACL",
"waf-regional:DisassociateWebACL",
"ec2:DescribeAddresses",
"ec2:DescribeInstances",
"kms:GenerateRandom",
"ec2:DescribeCoipPools",
"ec2:DescribeInternetGateways",
"elasticloadbalancing:DescribeLoadBalancers",
"kms:DescribeCustomKeyStores",
"kms:DeleteCustomKeyStore",
"elasticloadbalancing:DescribeListeners",
"ec2:DescribeNetworkInterfaces",
"kms:UpdateCustomKeyStore",
"ec2:DescribeAvailabilityZones",
"kms:CreateKey",
"ec2:DescribeAccountAttributes",
"elasticloadbalancing:DescribeListenerCertificates",
"sts:AssumeRoleWithWebIdentity",
"kms:ConnectCustomKeyStore",
"elasticloadbalancing:DescribeSSLPolicies",
"elasticloadbalancing:DescribeTags",
"ec2:GetCoipPoolUsage",
"ec2:DescribeTags",
"kms:CreateCustomKeyStore",
"ec2:DescribeSecurityGroups",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"kms:ListKeys",
"iam:CreateServiceLinkedRole",
"elasticloadbalancing:DescribeTargetGroupAttributes",
"ec2:DescribeVpcs",
"kms:ListAliases",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:DescribeTargetGroups",
"kms:DisconnectCustomKeyStore",
"elasticloadbalancing:DescribeRules",
"ec2:DescribeSubnets"
],
resources: ["*"]
}))
this.albIamRole.addToPolicy(new iam.PolicyStatement({
actions: [
"kms:*"
],
resources: [`arn:aws:kms:*:${this.account}:key/*`,
`arn:aws:kms:*:${this.account}:alias/*`]
}))
}