アクセス制限ポリシーを当てたRoleへスイッチできるユーザをaws cli で作成する
案件で作る機会があったので、さっと IAM.yml AWSTemplateFormatVersion: "2010-09-09" Description: "SampleApp - IAM" Parameters: ProjectName: Description: "Project name" Type: "String" Default: "SampleApp" Resources: IamSampleDeveloperRole: Type: AWS::IAM::Role Properties: RoleName: !Sub ${ProjectName}SampleDeveloper AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: AWS: !Sub arn:aws:iam::${AWS::AccountId}:root Action: sts:AssumeRole ManagedPolicyArns: - arn:aws:iam::aws:policy/CloudWatchReadOnlyAccess IamSampleDeveloperPolicies: Type: AWS::IAM::Policy Properties: PolicyName: IamSampleDeveloperPolicy PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - dynamodb:List* - dynamodb:DescribeReservedCapacity* - dynamodb:DescribeLimits - dynamodb:DescribeTimeToLive Resource: '*' - Effect: Allow Action: - dynamodb:BatchGet* - dynamodb:DescribeStream - dynamodb:DescribeTable - dynamodb:Get* - dynamodb:Query - dynamodb:Scan - dynamodb:BatchWrite* - dynamodb:CreateTable - dynamodb:Delete* - dynamodb:Update* - dynamodb:PutItem Resource: - arn:aws:dynamodb:*:*:table/dev-* - Effect: Allow Action: - s3:ListAllMyBuckets Resource: - arn:aws:s3:::* - Effect: Allow Action: - s3:* Resource: - arn:aws:s3:::*dev* Roles: - Ref: IamSampleDeveloperRole IamSampleDevelopersGroup: Type: AWS::IAM::Group Properties: GroupName: !...