switch-role-template.yaml
| 1 |
AWSTemplateFormatVersion: '2010-09-09' |
|---|---|
| 2 |
Description: IAM group and role for role switching with administrator access |
| 3 |
|
| 4 |
Resources:
|
| 5 |
CopSwitchableAdminRole:
|
| 6 |
Type: AWS::IAM::Role |
| 7 |
Properties:
|
| 8 |
RoleName: cop-adminrole |
| 9 |
ManagedPolicyArns:
|
| 10 |
- arn:aws:iam::aws:policy/AdministratorAccess
|
| 11 |
- !Sub arn:aws:iam::${AWS::AccountId}:policy/cop-test-s3-policy |
| 12 |
AssumeRolePolicyDocument:
|
| 13 |
Version: '2012-10-17' |
| 14 |
Statement:
|
| 15 |
- Effect: Allow
|
| 16 |
Principal:
|
| 17 |
AWS: !Sub arn:aws:iam::${AWS::AccountId}:root |
| 18 |
Action: sts:AssumeRole |
| 19 |
Condition:
|
| 20 |
Bool:
|
| 21 |
aws:MultiFactorAuthPresent: true |
| 22 |
|
| 23 |
CopSwitchableAdminRoleGroup:
|
| 24 |
Type: AWS::IAM::Group |
| 25 |
Properties:
|
| 26 |
GroupName: cop-switchable-adminrole |
| 27 |
Policies:
|
| 28 |
- PolicyName: AllowAssumeCopAdminRole
|
| 29 |
PolicyDocument:
|
| 30 |
Version: '2012-10-17' |
| 31 |
Statement:
|
| 32 |
- Effect: Allow
|
| 33 |
Action: sts:AssumeRole |
| 34 |
Resource: !GetAtt CopSwitchableAdminRole.Arn |
| 35 |
|
| 36 |
Outputs:
|
| 37 |
RoleName:
|
| 38 |
Description: Name of the switchable admin role |
| 39 |
Value: !Ref CopSwitchableAdminRole |
| 40 |
|
| 41 |
RoleArn:
|
| 42 |
Description: ARN of the switchable admin role |
| 43 |
Value: !GetAtt CopSwitchableAdminRole.Arn |
| 44 |
|
| 45 |
GroupName:
|
| 46 |
Description: Name of IAM group allowed to switch role |
| 47 |
Value: !Ref CopSwitchableAdminRoleGroup |