-
Notifications
You must be signed in to change notification settings - Fork 0
/
IAM_Users_Groups_and_Policies.template
104 lines (92 loc) · 3.33 KB
/
IAM_Users_Groups_and_Policies.template
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
{
"AWSTemplateFormatVersion" : "2010-09-09",
"Description" : "AWS CloudFormation Sample Template IAM_Users_Groups_and_Policies: Sample template showing how to create IAM users, groups and policies. It creates a single user that is a member of a users group and an admin group. The groups each have different IAM policies associated with them. Note: This example also creates an AWSAccessKeyId/AWSSecretKey pair associated with the new user. The example is somewhat contrived since it creates all of the users and groups, typically you would be creating policies, users and/or groups that contain referemces to existing users or groups in your environment. Note that you will need to specify the CAPABILITY_IAM flag when you create the stack to allow this template to execute. You can do this through the AWS management console by clicking on the check box acknowledging that you understand this template creates IAM resources or by specifying the CAPABILITY_IAM flag to the cfn-create-stack command line tool or CreateStack API call. ",
"Parameters" : {
"Password": {
"NoEcho": "true",
"Type": "String",
"Description" : "New account password",
"MinLength": "1",
"MaxLength": "41",
"ConstraintDescription" : "the password must be between 1 and 41 characters"
}
},
"Resources" : {
"CFNUser" : {
"Type" : "AWS::IAM::User",
"Properties" : {
"LoginProfile": {
"Password": { "Ref" : "Password" }
}
}
},
"CFNUserGroup" : {
"Type" : "AWS::IAM::Group"
},
"CFNAdminGroup" : {
"Type" : "AWS::IAM::Group"
},
"Users" : {
"Type" : "AWS::IAM::UserToGroupAddition",
"Properties" : {
"GroupName": { "Ref" : "CFNUserGroup" },
"Users" : [ { "Ref" : "CFNUser" } ]
}
},
"Admins" : {
"Type" : "AWS::IAM::UserToGroupAddition",
"Properties" : {
"GroupName": { "Ref" : "CFNAdminGroup" },
"Users" : [ { "Ref" : "CFNUser" } ]
}
},
"CFNUserPolicies" : {
"Type" : "AWS::IAM::Policy",
"Properties" : {
"PolicyName" : "CFNUsers",
"PolicyDocument" : {
"Statement": [{
"Effect" : "Allow",
"Action" : [
"cloudformation:Describe*",
"cloudformation:List*",
"cloudformation:Get*"
],
"Resource" : "*"
}]
},
"Groups" : [{ "Ref" : "CFNUserGroup" }]
}
},
"CFNAdminPolicies" : {
"Type" : "AWS::IAM::Policy",
"Properties" : {
"PolicyName" : "CFNAdmins",
"PolicyDocument" : {
"Statement": [{
"Effect" : "Allow",
"Action" : "cloudformation:*",
"Resource" : "*"
}]
},
"Groups" : [{ "Ref" : "CFNAdminGroup" }]
}
},
"CFNKeys" : {
"Type" : "AWS::IAM::AccessKey",
"Properties" : {
"UserName" : { "Ref": "CFNUser" }
}
}
},
"Outputs" : {
"AccessKey" : {
"Value" : { "Ref" : "CFNKeys" },
"Description" : "AWSAccessKeyId of new user"
},
"SecretKey" : {
"Value" : { "Fn::GetAtt" : ["CFNKeys", "SecretAccessKey"]},
"Description" : "AWSSecretKey of new user"
}
}
}