Contrast Serverlessを実行するためのAWSポリシーと権限
ここでは、Contrast Serverlessを実行するためのAWSアカウントのポリシーと権限のサンプルを紹介します。
アクセス管理の例
以下は、アカウントの権限とポリシーのサンプルです。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "CustomResources", "Effect": "Allow", "Action": [ "sns:Publish" ], "Resource": "*" }, { "Sid": "SNS2", "Effect": "Allow", "Action": [ "sns:CreateTopic", "sns:GetTopicAttributes", "sns:DeleteTopic", "sns:TagResource" ], "Resource": "*" }, { "Sid": "IAM", "Effect": "Allow", "Action": [ "iam:AttachRolePolicy", "iam:CreatePolicy", "iam:CreateRole", "iam:CreateServiceLinkedRole", "iam:DeletePolicy", "iam:DeleteRole", "iam:DeleteRolePolicy", "iam:DetachRolePolicy", "iam:GetPolicy", "iam:GetRole", "iam:GetRolePolicy", "iam:ListPolicyVersions", "iam:ListRoleTags", "iam:PassRole", "iam:PutRolePolicy", "iam:TagRole", "iam:UntagRole" ], "Resource": "*" }, { "Sid": "S3", "Effect": "Allow", "Action": [ "s3:CreateBucket", "s3:DeleteBucket", "s3:DeleteBucketPolicy", "s3:GetBucketPolicy", "s3:PutBucketPolicy", "s3:PutBucketPublicAccessBlock", "s3:PutBucketTagging", "s3:PutEncryptionConfiguration", "s3:PutLifecycleConfiguration", "s3:PutBucketNotification" ], "Resource": "*" }, { "Sid": "Lambda", "Effect": "Allow", "Action": [ "lambda:GetFunction", "lambda:CreateFunction", "lambda:DeleteFunctionEventInvokeConfig", "lambda:DeleteFunction", "lambda:TagResource", "lambda:PutFunctionEventInvokeConfig" ], "Resource": "*" }, { "Sid": "S3LambdaCode", "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": "*" }, { "Sid": "EventsRule", "Effect": "Allow", "Action": [ "events:DeleteRule", "events:DescribeRule", "events:PutRule", "events:PutTargets", "events:RemoveTargets" ], "Resource": "*" }, { "Sid": "CloudTrail", "Effect": "Allow", "Action": [ "cloudtrail:AddTags", "cloudtrail:CreateTrail", "cloudtrail:DeleteTrail", "cloudtrail:StartLogging", "cloudtrail:PutEventSelectors" ], "Resource": "*" }, { "Sid": "CloudFormation", "Effect": "Allow", "Action": [ "cloudformation:GetTemplateSummary", "cloudformation:CreateStack", "cloudformation:DescribeStackEvents" ], "Resource": "*" } ] }
AWSの iam create-policy
を実行:
```aws iam create-policy --policy-name Contrast-create-stack --policy-document '{ "Version": "2012-10-17", "Statement": [ { "Sid": "CustomResources", "Effect": "Allow", "Action": ["sns:Publish"], "Resource": "*" }, { "Sid": "SNS2", "Effect": "Allow", "Action": [ "sns:CreateTopic", "sns:GetTopicAttributes", "sns:DeleteTopic", "sns:TagResource" ], "Resource": "*" }, { "Sid": "IAM", "Effect": "Allow", "Action": [ "iam:AttachRolePolicy", "iam:CreatePolicy", "iam:CreateRole", "iam:CreateServiceLinkedRole", "iam:DeletePolicy", "iam:DeleteRole", "iam:DeleteRolePolicy", "iam:DetachRolePolicy", "iam:GetPolicy", "iam:GetRole", "iam:GetRolePolicy", "iam:ListPolicyVersions", "iam:ListRoleTags", "iam:PassRole", "iam:PutRolePolicy", "iam:TagRole", "iam:UntagRole" ], "Resource": "*" }, { "Sid": "S3", "Effect": "Allow", "Action": [ "s3:CreateBucket", "s3:DeleteBucket", "s3:DeleteBucketPolicy", "s3:GetBucketPolicy", "s3:PutBucketPolicy", "s3:PutBucketPublicAccessBlock", "s3:PutBucketTagging", "s3:PutEncryptionConfiguration", "s3:PutLifecycleConfiguration", "s3:PutBucketNotification" ], "Resource": "*" }, { "Sid": "Lambda", "Effect": "Allow", "Action": [ "lambda:GetFunction", "lambda:CreateFunction", "lambda:DeleteFunctionEventInvokeConfig", "lambda:DeleteFunction", "lambda:TagResource", "lambda:PutFunctionEventInvokeConfig" ], "Resource": "*" }, { "Sid": "S3LambdaCode", "Effect": "Allow", "Action": ["s3:GetObject"], "Resource": "*" }, { "Sid": "EventsRule", "Effect": "Allow", "Action": [ "events:DeleteRule", "events:DescribeRule", "events:PutRule", "events:PutTargets", "events:RemoveTargets" ], "Resource": "*" }, { "Sid": "CloudTrail", "Effect": "Allow", "Action": [ "cloudtrail:AddTags", "cloudtrail:CreateTrail", "cloudtrail:DeleteTrail", "cloudtrail:StartLogging", "cloudtrail:PutEventSelectors" ], "Resource": "*" }, { "Sid": "CloudFormation", "Effect": "Allow", "Action": [ "cloudformation:GetTemplateSummary", "cloudformation:CreateStack", "cloudformation:DescribeStackEvents" ], "Resource": "*" } ] }```
レスポンスを取得:
ユーザポリシーをアタッチ:
aws iam attach-user-policy --policy-arn arn:aws:iam::402181209224:policy/Contrast-serverless-create-stack --user-name <USER-NAME></USER-NAME>
レスポンスを取得:
これで、デプロイメントを実行できるようになりました。