Generates an IAM policy for the CloudFormation base describe-type's schema
Project description
cfn-giam
Automatically generate the required IAM policies from your Cloudformation file
Manual procedure
- Open AWS Cloudshell or any terminal configured with aws cli.
- Install cfn-giam
pip3 install cfngiam
- Check the IAM Policy required to execute the cloudformation file or folder
cfn-giam -i $yourcfn -o $exportfolder
cli options
CLI option | Description | Require |
---|---|---|
-i, --input-path | Cloudformation file, folder or url path having Cloudformation files. Supported yaml and json. If this path is a folder, it will be detected recursively. | yes or -l |
-l, --input-resouce-type-list | AWS Resouce type name list of comma-separated strings. e.g. "AWS::IAM::Role,AWS::VPC::EC2" | yes or -i |
-o, --output-folderpath | Output IAM policy files root folder.If not specified, it matches the input-path. Moreover, if input-path is not specified, it will be output to the current directory. | no |
-v, --version | Show version information and quit. | no |
-V, --verbose | give more detailed output | no |
--help | Show a help synopsis and quit. | no |
cli examples
Cloudformation file
cfn-giam -i ./CFn/example.yml
cfn-giam generates to "./CFn/example.json"
Cloudformation folder
cfn-giam -i ./CFn -o ./dist
cfn-giam generates to "./dist/CFn/example.json" cfn-giam generates to "./dist/MasterPolicy.json"
Cloudformation url file
cfn-giam -i https://s3.ap-northeast-1.amazonaws.com/cloudformation-templates-ap-northeast-1/Windows_Single_Server_SharePoint_Foundation.template
cfn-giam generates to "./Windows_Single_Server_SharePoint_Foundation.json"
Cloudformation resouce type list
cfn-giam -l AWS::EC2::Instance,AWS::EC2::SecurityGroup,AWS::EC2::Instance
cfn-giam generates to "./Windows_Single_Server_SharePoint_Foundation.json"
Automatical procedure
1. Fork to your Github account from this repository
2. Create IAM Role and IAM ID Provider for Github Actions
- Open Cloudformation on your AWS Account.
- Create stack from GithubOIDCRole-ReadOnly.yml.
- Make a note the Roke-Arn created from stack and region's name having stack.
3. Register Role-Arn and region name to Github sercrets
- View Github Actions page on your repository.
- Register following list to Github secrets.
- NAME: AWS_REGION, VALUE: your region's name having stack
- NAME: ROLE_ARN, VALUE: your Roke-Arn created from stack
4. Commit and Push your Cloudformation file
- Add your Cloudformation file in CFn folder.
- Commit and Push your repository.
5. Check artifacts on Github Actions
- View Github Actions page on your repository.
- Make sure the latest "Check the IAM Policy workflow" is successful.
- Open the latest workflow.
- Download artifact on the latest workflow.
Others
Github Actions thumbprint
Github Actions thumbprint changes from time to time.
e.g. Changelog
In that case, Update to GithubOIDCRole-ReadOnly.yml after get new thumbprint with GetGithubOIDCThumbprint.sh.
sh GetGithubOIDCThumbprint.sh
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
cfngiam-0.0.6.tar.gz
(6.0 kB
view hashes)