69 lines
2.8 KiB
PowerShell
69 lines
2.8 KiB
PowerShell
|
function Get-AlkamiSecretResourcePolicyString {
|
||
|
<#
|
||
|
.SYNOPSIS
|
||
|
Returns the string for an AWS Secret resource policy that allows access to admins and SysEng (by default).
|
||
|
|
||
|
.PARAMETER ProfileName
|
||
|
[string] The AWS profile to use during when creating the resource policy.
|
||
|
|
||
|
.PARAMETER SecretAccessExtraArns
|
||
|
[string[]] An array of AWS ARNs allowed to access the secret in addition to the defaults.
|
||
|
|
||
|
.EXAMPLE
|
||
|
Get-AlkamiSecretResourcePolicyString -ProfileName 'temp-dev'
|
||
|
|
||
|
{"Version":"2012-10-17","Statement":[{"Action":"secretsmanager:*","Condition":{"ArnNotEquals":{"aws:PrincipalArn":["arn:aws:iam::327695573722:role/CLI-SRE-Admin","arn:aws:iam::327695573722:role/DAG-AWS-Admins","arn:aws:iam::327695573722:root"]}},"Principal":{"AWS":"*"},"Resource":"*","Effect":"Deny","Sid":"DenyAllUnlessExplicitlyAllowed"}]}
|
||
|
|
||
|
.EXAMPLE
|
||
|
Get-AlkamiSecretResourcePolicyString -ProfileName 'temp-dev' -SecretAccessExtraArns @( 'ExampleArn1', 'ExampleArn2' )
|
||
|
|
||
|
{"Version":"2012-10-17","Statement":[{"Action":"secretsmanager:*","Condition":{"ArnNotEquals":{"aws:PrincipalArn":["arn:aws:iam::327695573722:role/CLI-SRE-Admin","arn:aws:iam::327695573722:role/DAG-AWS-Admins","arn:aws:iam::327695573722:root","ExampleArn1","ExampleArn2"]}},"Principal":{"AWS":"*"},"Resource":"*","Effect":"Deny","Sid":"DenyAllUnlessExplicitlyAllowed"}]}
|
||
|
#>
|
||
|
[CmdletBinding()]
|
||
|
[OutputType([string])]
|
||
|
param(
|
||
|
[Parameter(Mandatory = $true)]
|
||
|
[ValidateNotNullOrEmpty()]
|
||
|
[string] $ProfileName,
|
||
|
|
||
|
[Parameter(Mandatory = $false)]
|
||
|
[string[]] $SecretAccessExtraArns = $null
|
||
|
)
|
||
|
|
||
|
Import-AWSModule
|
||
|
|
||
|
$accountNumber = (Get-STSCallerIdentity -ProfileName $ProfileName).Account
|
||
|
|
||
|
$policyObj = @{
|
||
|
Version = "2012-10-17"
|
||
|
Statement = @(
|
||
|
@{
|
||
|
Sid = "DenyAllUnlessExplicitlyAllowed"
|
||
|
Action = "secretsmanager:*"
|
||
|
Effect = "Deny"
|
||
|
Resource = "*"
|
||
|
Principal = @{
|
||
|
AWS = "*"
|
||
|
}
|
||
|
Condition = @{
|
||
|
ArnNotEquals = @{
|
||
|
"aws:PrincipalArn" = @(
|
||
|
"arn:aws:iam::${accountNumber}:role/CLI-SRE-Admin",
|
||
|
"arn:aws:iam::${accountNumber}:role/DAG-AWS-Admins",
|
||
|
"arn:aws:iam::${accountNumber}:root"
|
||
|
)
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
)
|
||
|
}
|
||
|
|
||
|
# Add any extra ARNs that need access to the secret.
|
||
|
foreach ( $extraArn in $SecretAccessExtraArns ) {
|
||
|
if ( $false -eq [string]::IsNullOrWhitespace($extraArn)) {
|
||
|
$policyObj.Statement.Condition.ArnNotEquals.'aws:PrincipalArn' += $extraArn
|
||
|
}
|
||
|
}
|
||
|
|
||
|
return (ConvertTo-Json -InputObject $policyObj -Compress -Depth 10)
|
||
|
}
|