NicolasRitouet · April 17, 2018 05:37
diff --git a/serverless-deploy-user.yaml b/serverless-deploy-user.yaml
 AWSTemplateFormatVersion: 2010-09-09

 Description: >
  Constructs a managed IAM policy to deploy a serverless project.

  This template assumes the stack is being deployed in the current region and account.
  You can then attach this policy to other IAM objects, such as users or roles.

  Based on the work done in: https://github.com/serverless/serverless/issues/1439

 Parameters:

  UserName:
    Description: >-
      The name of the IAM User to construct.
    Type: String
    # From https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateUser.html
    AllowedPattern: '[A-Za-z0-9+=,.@-]+'

  Project:
    Description: >-
      A name for this serverless project
    Type: String

  Stage:
    Description: >-
      The stage for this project.
    Type: String


 Conditions: {}  # In case we want some...

 Resources:

  DeployUser:
    Type: AWS::IAM::User
    Properties:
      UserName: !Ref UserName
      Policies: []  # Prefer managing policies separately.

  ServerlessRole:
    Type: AWS::IAM::Role
    Properties:
      Policies: []
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - !Sub 'cloudformation.${AWS::URLSuffix}'
            Action:
              - sts:AssumeRole

  DeployPolicy:
    Type: AWS::IAM::Policy  # Or AWS::IAM::ManagedPolicy, also change PolicyName to ManagedPolicyName.
    Properties:
      Users:
        - !Ref DeployUser
      PolicyName: !Sub '${Project}-${Stage}-DeployPolicy'
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Sid: ListDeploymentBucket
            Effect: Allow
            Action:
              - s3:GetBucketLocation
              - s3:ListBucket
            Resource:
              # See https://docs.aws.amazon.com/AmazonS3/latest/dev/s3-arn-format.html
              # Also https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/using-govcloud-arns.html
              - !Sub 'arn:${AWS::Partition}:s3:::${Project}-${Stage}-serverlessdeploymentbucket-*'
          - Sid: ReadWriteAccessToDeploymentObjects
            Effect: Allow
            Action:
              - s3:GetObject*
              - s3:PutObject
              - s3:DeleteObject
            Resource:
              - !Sub 'arn:${AWS::Partition}:s3:::${Project}-${Stage}-serverlessdeploymentbucket-*/*'
          - Sid: ValidateTemplate
            Effect: Allow
            Action:
              - cloudformation:ValidateTemplate
            Resource: '*'
          - Sid: ReadAccessToCloudFormation
            Effect: Allow
            Action:
              - cloudformation:Describe*
              - cloudformation:List*
              - cloudformation:Get*
              - cloudformation:PreviewStackUpdate
            Resource:
              # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html
              - !Sub 'arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/${Project}-${Stage}/*'

          - Sid: WriteAccessToCloudFormation
            Effect: Allow
            Action:
              - cloudformation:CreateStack
              - cloudformation:UpdateStack
              - cloudformation:DeleteStack
            Resource:
              - !Sub 'arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/${Project}-${Stage}/*'

          - Sid: PassRoleToCloudFormation
            Effect: Allow
            Action:
              - iam:PassRole
            Resource:
              - !GetAtt ServerlessRole.Arn
          - Sid: GetServerlessRole
            Effect: Allow
            Action:
              - iam:GetRole
            Resource:
              - !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${Project}-${Stage}-${AWS::Region}-*'

  UpdateLambdaPolicy:
    Type: AWS::IAM::Policy
    Properties:
      Users:
        - !Ref DeployUser
      Roles:
        - !Ref ServerlessRole
      PolicyName: !Sub '${Project}-${Stage}-UpdateLambdaPolicy'
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Sid: UpdateLambdaPolicy
            Effect: Allow
            Action:
              - lambda:Get*
              - lambda:List*
              - lambda:UpdateFunctionCode
              - lambda:UpdateFunctionConfiguration
              - lambda:InvokeFunction
            Resource:
              - !Sub 'arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:${Project}-${Stage}*'
	AWSTemplateFormatVersion: 2010-09-09

	Description: >
	Constructs a managed IAM policy to deploy a serverless project.

	This template assumes the stack is being deployed in the current region and account.
	You can then attach this policy to other IAM objects, such as users or roles.

	Based on the work done in: https://github.com/serverless/serverless/issues/1439

	Parameters:

	UserName:
	Description: >-
	The name of the IAM User to construct.
	Type: String
	# From https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateUser.html
	AllowedPattern: '[A-Za-z0-9+=,.@-]+'

	Project:
	Description: >-
	A name for this serverless project
	Type: String

	Stage:
	Description: >-
	The stage for this project.
	Type: String


	Conditions: {} # In case we want some...

	Resources:

	DeployUser:
	Type: AWS::IAM::User
	Properties:
	UserName: !Ref UserName
	Policies: [] # Prefer managing policies separately.

	ServerlessRole:
	Type: AWS::IAM::Role
	Properties:
	Policies: []
	AssumeRolePolicyDocument:
	Version: 2012-10-17
	Statement:
	- Effect: Allow
	Principal:
	Service:
	- !Sub 'cloudformation.${AWS::URLSuffix}'
	Action:
	- sts:AssumeRole

	DeployPolicy:
	Type: AWS::IAM::Policy # Or AWS::IAM::ManagedPolicy, also change PolicyName to ManagedPolicyName.
	Properties:
	Users:
	- !Ref DeployUser
	PolicyName: !Sub '${Project}-${Stage}-DeployPolicy'
	PolicyDocument:
	Version: 2012-10-17
	Statement:
	- Sid: ListDeploymentBucket
	Effect: Allow
	Action:
	- s3:GetBucketLocation
	- s3:ListBucket
	Resource:
	# See https://docs.aws.amazon.com/AmazonS3/latest/dev/s3-arn-format.html
	# Also https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/using-govcloud-arns.html
	- !Sub 'arn:${AWS::Partition}:s3:::${Project}-${Stage}-serverlessdeploymentbucket-*'
	- Sid: ReadWriteAccessToDeploymentObjects
	Effect: Allow
	Action:
	- s3:GetObject*
	- s3:PutObject
	- s3:DeleteObject
	Resource:
	- !Sub 'arn:${AWS::Partition}:s3:::${Project}-${Stage}-serverlessdeploymentbucket-/'
	- Sid: ValidateTemplate
	Effect: Allow
	Action:
	- cloudformation:ValidateTemplate
	Resource: '*'
	- Sid: ReadAccessToCloudFormation
	Effect: Allow
	Action:
	- cloudformation:Describe*
	- cloudformation:List*
	- cloudformation:Get*
	- cloudformation:PreviewStackUpdate
	Resource:
	# https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html
	- !Sub 'arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/${Project}-${Stage}/*'

	- Sid: WriteAccessToCloudFormation
	Effect: Allow
	Action:
	- cloudformation:CreateStack
	- cloudformation:UpdateStack
	- cloudformation:DeleteStack
	Resource:
	- !Sub 'arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/${Project}-${Stage}/*'

	- Sid: PassRoleToCloudFormation
	Effect: Allow
	Action:
	- iam:PassRole
	Resource:
	- !GetAtt ServerlessRole.Arn
	- Sid: GetServerlessRole
	Effect: Allow
	Action:
	- iam:GetRole
	Resource:
	- !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${Project}-${Stage}-${AWS::Region}-*'

	UpdateLambdaPolicy:
	Type: AWS::IAM::Policy
	Properties:
	Users:
	- !Ref DeployUser
	Roles:
	- !Ref ServerlessRole
	PolicyName: !Sub '${Project}-${Stage}-UpdateLambdaPolicy'
	PolicyDocument:
	Version: 2012-10-17
	Statement:
	- Sid: UpdateLambdaPolicy
	Effect: Allow
	Action:
	- lambda:Get*
	- lambda:List*
	- lambda:UpdateFunctionCode
	- lambda:UpdateFunctionConfiguration
	- lambda:InvokeFunction
	Resource:
	- !Sub 'arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:${Project}-${Stage}*'
No results found