52 lines
1.5 KiB
PowerShell
52 lines
1.5 KiB
PowerShell
|
function New-ServerlessServiceAccountIamPolicy {
|
||
|
|
<#
|
||
|
|
.SYNOPSIS
|
||
|
|
Creates and configures an AWS IAM inline policy for an IAM role
|
||
|
|
that grants read access to the specified secrets.
|
||
|
|
|
||
|
|
.PARAMETER RoleArn
|
||
|
|
[string] The pre-existing IAM role ARN.
|
||
|
|
|
||
|
|
.PARAMETER ProfileName
|
||
|
|
[string] The AWS profile to use during policy creation.
|
||
|
|
|
||
|
|
.PARAMETER Region
|
||
|
|
[string] The AWS region to use during policy creation.
|
||
|
|
|
||
|
|
.PARAMETER SecretArns
|
||
|
|
[string[]] An array of AWS Secrets Manager secret ARNs to grant access to in the IAM policy.
|
||
|
|
|
||
|
|
.EXAMPLE
|
||
|
|
#>
|
||
|
|
[CmdletBinding()]
|
||
|
|
param (
|
||
|
|
[Parameter(Mandatory = $true)]
|
||
|
|
[ValidateNotNullOrEmpty()]
|
||
|
|
[string] $RoleArn,
|
||
|
|
|
||
|
|
[Parameter(Mandatory = $true)]
|
||
|
|
[ValidateNotNullOrEmpty()]
|
||
|
|
[string] $ProfileName,
|
||
|
|
|
||
|
|
[Parameter(Mandatory = $true)]
|
||
|
|
[ValidateScript({$_ -in (Get-AWSRegion).region})]
|
||
|
|
[string] $Region,
|
||
|
|
|
||
|
|
[Parameter(Mandatory = $true)]
|
||
|
|
[ValidateNotNullOrEmpty()]
|
||
|
|
[string[]] $SecretArns
|
||
|
|
)
|
||
|
|
|
||
|
|
Import-AWSModule
|
||
|
|
|
||
|
|
$inlinePolicy = Get-ServerlessServiceAccountIamPolicyString -SecretArns $SecretArns
|
||
|
|
|
||
|
|
# AWS PowerShell expects the role name, not ARN.
|
||
|
|
$roleName = $RoleArn.Split("/")[-1]
|
||
|
|
|
||
|
|
Write-IAMRolePolicy -RoleName $roleName `
|
||
|
|
-PolicyName "account-secret-access-inline-policy" `
|
||
|
|
-PolicyDocument $inlinePolicy `
|
||
|
|
-ProfileName $ProfileName `
|
||
|
|
-Region $Region
|
||
|
|
}
|