Last active
June 8, 2021 03:07
-
-
Save alecbw/8766b542ae99d1563e9320b391557202 to your computer and use it in GitHub Desktop.
YAML for CloudFormation that creates an IAM User, an IAM Policy with permissions on S3, Glue, Athena to use Athena and DynamoDB, and attaches the Policy to the User. It will also produce an Access Key and Access Secret.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| AWSTemplateFormatVersion: '2010-09-09' | |
| Description: 'Creates an IAM User with attached Role for VENDOR Access' | |
| Resources: | |
| User: | |
| Type: AWS::IAM::User | |
| Properties: | |
| UserName: 'VENDOR-access-iam-user' | |
| Tags: | |
| - Key: "deployment" | |
| Value: "CloudFormation" | |
| - Key: "access" | |
| Value: "external" | |
| AccessKey: | |
| Type: AWS::IAM::AccessKey | |
| Properties: | |
| UserName: !Ref User | |
| AttachedPolicy: | |
| Type: AWS::IAM::Policy | |
| Properties: | |
| PolicyName: 'VENDOR-access-iam-attached-policy-athena-reads' | |
| Users: [!Ref 'User'] | |
| PolicyDocument: | |
| Statement: | |
| - Effect: Allow | |
| Action: | |
| - s3:GetObject | |
| - s3:PutObject | |
| Resource: | |
| - { "Fn::Sub": "arn:aws:s3:::athena-query-results-bucket-${AWS::AccountId}/*" } | |
| - { "Fn::Sub": "arn:aws:s3:::other-bucket-where-datalake-is-${AWS::AccountId}/*" } | |
| - Effect: Allow | |
| Action: | |
| - s3:ListBucket | |
| - s3:GetBucketLocation | |
| Resource: | |
| - { "Fn::Sub": "arn:aws:s3:::athena-query-results-bucket-${AWS::AccountId}" } | |
| - { "Fn::Sub": "arn:aws:s3:::other-bucket-where-datalake-is-${AWS::AccountId}" } | |
| - Effect: Allow | |
| Action: | |
| - athena:StartQueryExecution | |
| - athena:CancelQueryExecution | |
| - athena:StopQueryExecution | |
| - athena:GetQueryExecution | |
| - athena:GetQueryResults | |
| - athena:GetWorkGroup | |
| Resource: | |
| - { "Fn::Sub": "arn:aws:athena:*:${AWS::AccountId}:*" } | |
| - Effect: Allow | |
| Action: | |
| - glue:SearchTables | |
| - glue:GetTable | |
| - glue:GetTables | |
| - glue:GetDatabase | |
| - glue:GetDatabases | |
| - glue:GetPartition | |
| - glue:GetPartitions | |
| Resource: | |
| - { "Fn::Sub": "arn:aws:glue:*:${AWS::AccountId}:*" } | |
| - Effect: Allow | |
| Action: | |
| - dynamodb:ListTables | |
| - dynamodb:GetItem | |
| - dynamodb:BatchGetItem | |
| - dynamodb:Scan | |
| - dynamodb:Query | |
| Resource: | |
| - { "Fn::Sub": "arn:aws:dynamodb:*:${AWS::AccountId}:*" } | |
| Outputs: | |
| UserName: | |
| Description: The UserName associated with the IAM User account | |
| Value: !Ref User | |
| Export: | |
| Name: !Join ["-", [!Ref "AWS::StackName", "user-name"]] | |
| UserARN: | |
| Description: The ARN associated with the IAM User account | |
| Value: !GetAtt User.Arn | |
| Export: | |
| Name: !Join ["-", [!Ref "AWS::StackName", "user-arn"]] | |
| AccessKeyId: | |
| Description: the Access Key Id | |
| Value: !Ref AccessKey | |
| AccessKeySecret: | |
| Description: the Access Key Secret | |
| Value: !GetAtt AccessKey.SecretAccessKey |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment