AWSTemplateFormatVersion: "2010-09-09" Description: "DDB Table and IAM Managed Policies/Role for AWS KMS Hierarchical Keyring Testing" Parameters: TableName: Type: String Description: Test Table Name Default: HierarchicalKeyringTestTable KeyStoreTable: Type: String Description: Key Store Test Table Name Default: KeyStoreTestTable ProjectName: Type: String Description: A prefix that will be applied to any names Default: Public-ESDK-Dafny GitHubRepo: Type: String Description: GitHub Repo that invokes CI Default: aws/aws-encryption-sdk Resources: GitHubCIRole: Type: "AWS::IAM::Role" Properties: RoleName: !Sub "GitHub-CI-${ProjectName}-Role-${AWS::Region}" Description: "Access DDB, KMS, Resources for CI from GitHub" ManagedPolicyArns: - "arn:aws:iam::370957321024:policy/ESDK-Dafny-DDB-ReadWriteDelete-us-west-2" - "arn:aws:iam::370957321024:policy/Hierarchical-GitHub-KMS-Key-Policy" - "arn:aws:iam::370957321024:policy/KMS-Public-CMK-EncryptDecrypt-Key-Access" - "arn:aws:iam::370957321024:policy/RSA-GitHub-KMS-Key-Policy" - "arn:aws:iam::370957321024:policy/Github-ECDH-KMS" AssumeRolePolicyDocument: !Sub | { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::${AWS::AccountId}:oidc-provider/token.actions.githubusercontent.com" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "token.actions.githubusercontent.com:aud": "sts.amazonaws.com" }, "StringLike": { "token.actions.githubusercontent.com:sub": "repo:${GitHubRepo}:*" } } }, { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::${AWS::AccountId}:role/ToolsDevelopment" }, "Action": "sts:AssumeRole" } ] } GithubCIRoleOnlyUsEast1Keys: Type: "AWS::IAM::Role" Properties: RoleName: !Sub "GitHub-CI-${ProjectName}-Role-only-us-east-1-KMS-keys" Description: "Access KMS Resources for CI from GitHub. Only grants access to use keys in us-east-1 region. Created for use by CI while executing Custom Client Supplier Example." ManagedPolicyArns: - !Ref KMSUsageOnlyUsEast1Keys AssumeRolePolicyDocument: !Sub | { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::370957321024:role/GitHub-CI-ESDK-Dafny-Role-us-west-2" }, "Action": "sts:AssumeRole" }, { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::370957321024:role/GitHub-CI-Public-ESDK-Dafny-Role-us-west-2" }, "Action": "sts:AssumeRole" }, { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::${AWS::AccountId}:oidc-provider/token.actions.githubusercontent.com" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "token.actions.githubusercontent.com:aud": "sts.amazonaws.com" }, "StringLike": { "token.actions.githubusercontent.com:sub": "repo:${GitHubRepo}:*" } } }, { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::${AWS::AccountId}:role/ToolsDevelopment" }, "Action": "sts:AssumeRole" } ] } GithubCIRoleOnlyEuWest1Keys: Type: "AWS::IAM::Role" Properties: RoleName: !Sub "GitHub-CI-${ProjectName}-Role-only-eu-west-1-KMS-keys" Description: "Access KMS Resources for CI from GitHub. Only grants access to use keys in eu-west-1 region. Created for use by CI while executing Custom Client Supplier Example." ManagedPolicyArns: - !Ref KMSUsageOnlyEuWest1Keys AssumeRolePolicyDocument: !Sub | { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::370957321024:role/GitHub-CI-ESDK-Dafny-Role-us-west-2" }, "Action": "sts:AssumeRole" }, { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::370957321024:role/GitHub-CI-Public-ESDK-Dafny-Role-us-west-2" }, "Action": "sts:AssumeRole" }, { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::${AWS::AccountId}:oidc-provider/token.actions.githubusercontent.com" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "token.actions.githubusercontent.com:aud": "sts.amazonaws.com" }, "StringLike": { "token.actions.githubusercontent.com:sub": "repo:${GitHubRepo}:*" } } }, { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::${AWS::AccountId}:role/ToolsDevelopment" }, "Action": "sts:AssumeRole" } ] } KMSUsageOnlyUsEast1Keys: Type: "AWS::IAM::ManagedPolicy" Properties: ManagedPolicyName: !Sub "${ProjectName}-KMS-only-us-east-1" PolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Action: - kms:Encrypt - kms:Decrypt - kms:GenerateDataKey - kms:GetPublicKey Resource: - !Sub "arn:aws:kms:us-east-1:658956600833:key/*" - !Sub "arn:aws:kms:us-east-1:658956600833:alias/*" KMSUsageOnlyEuWest1Keys: Type: "AWS::IAM::ManagedPolicy" Properties: ManagedPolicyName: !Sub "${ProjectName}-KMS-only-eu-west-1" PolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Action: - kms:Encrypt - kms:Decrypt - kms:GenerateDataKey - kms:GetPublicKey Resource: - !Sub "arn:aws:kms:eu-west-1:658956600833:key/*" - !Sub "arn:aws:kms:eu-west-1:658956600833:alias/*"