in dcv_session_manager_infrastructure/dcv_session_manager_infrastructure_stack.py [0:0]
def create_dcv_role(self, ef_nodename_parameter, dcvsm_certificate, config):
# Instances Role
role_dcv = iam.Role(
self, "DCV_ROLE", assumed_by=iam.ServicePrincipal("ec2.amazonaws.com"))
# Allow console access with SSM
role_dcv.add_managed_policy(iam.ManagedPolicy.from_aws_managed_policy_name(
"AmazonSSMManagedInstanceCore"))
# Allow the DCV nodes to access the parameters
role_dcv.add_to_policy(
iam.PolicyStatement(
effect=iam.Effect.ALLOW,
actions=[
"ssm:GetParameter"
],
resources=[ef_nodename_parameter.parameter_arn,
dcvsm_certificate.parameter_arn],
)
)
# Allow to retrieve the efadmin password
role_dcv.add_to_policy(
iam.PolicyStatement(
effect=iam.Effect.ALLOW,
actions=[
"secretsmanager:GetSecretValue"
],
resources=[config['arn_efadmin_password']],
)
)
# Allow to describe the instances
role_dcv.add_to_policy(
iam.PolicyStatement(
effect=iam.Effect.ALLOW,
actions=[
"ec2:DescribeInstances"
],
resources=["*"],
)
)
return role_dcv