Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Chamber IAM Example
# this defines a role "role-name" in the account where this TF will be applied
resource "aws_iam_role" "role_name" {
name = "role-name"
description = "Allows role-name to do things in account"
assume_role_policy = "${data.aws_iam_policy_document.my_role.json}"
}
# this says that any one in a separate account with ID 123456789012 can assume the "role-name" role
data "aws_iam_policy_document" "role_name" {
statement {
actions = [
"sts:AssumeRole",
]
principals {
type = "AWS"
identifiers = [
"arn:aws:iam::123456789012:root",
]
}
}
}
{
"Sid": "",
"Effect": "Allow",
"Action": "ssm:DescribeParameters",
"Resource": "arn:aws:ssm:*:*:*"
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"ssm:GetParametersByPath",
"ssm:GetParameters"
],
"Resource": "arn:aws:ssm:*:*:parameter/service/*"
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"kms:ListKeys",
"kms:ListAliases",
"kms:Describe*",
"kms:Decrypt"
],
"Resource": "parameter_store_key"
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment