Created
September 30, 2019 20:39
-
-
Save serverlessunicorn/269508b0316d3edce44b4ec8b637299d to your computer and use it in GitHub Desktop.
TWagnerMediumBlogSampleCFTemplatePart6
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| NATPunchFunctionRole: | |
| Description: AWS Lambda NATPunch function role | |
| Type: AWS::IAM::Role | |
| Properties: | |
| # Heavily mangled to ensure we always know the origin and purpose of this role | |
| # just by looking at its name. | |
| RoleName: !Sub 'CodeStar-${ProjectId}-NATPunchFunctionRole-${Stage}' | |
| # All Lambda roles need to enable Lambda to assume them... | |
| AssumeRolePolicyDocument: | |
| Statement: | |
| - Effect: Allow | |
| Principal: | |
| Service: [lambda.amazonaws.com] | |
| Action: sts:AssumeRole | |
| # Permissions this role grants. | |
| ManagedPolicyArns: | |
| - !Sub 'arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole' | |
| - !Sub 'arn:${AWS::Partition}:iam::aws:policy/AmazonDynamoDBFullAccess' | |
| # The following provides the ability to "manage a connection", which is | |
| # API Gateway speak for doing a websocket callback via an @connection request. | |
| - !Sub 'arn:${AWS::Partition}:iam::aws:policy/AmazonAPIGatewayInvokeFullAccess' | |
| # This is a CodeStar requirement; do not remove unless the CI/CD system is changing. | |
| PermissionsBoundary: !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:policy/CodeStar_${ProjectId}_PermissionsBoundary' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment