AWSTemplateFormatVersion: '2010-09-09' Parameters: GitHubOrg: Type: String Default: aws RepositoryName: Type: String Default: aws-parallelcluster-ui Resources: ProductionDeploy: Type: AWS::IAM::Role Properties: Description: "Role used to deploy PCM to customers" AssumeRolePolicyDocument: Statement: - Effect: Allow Action: sts:AssumeRoleWithWebIdentity Principal: Federated: !Ref GithubOidc Condition: StringLike: token.actions.githubusercontent.com:aud: sts.amazonaws.com token.actions.githubusercontent.com:sub: !Sub repo:${GitHubOrg}/${RepositoryName}:ref:refs/tags/* Policies: - PolicyName: PushPublicECR PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: ecr-public:DescribeRepositories Resource: !Sub arn:${AWS::Partition}:ecr-public::${AWS::AccountId}:repository/* - Effect: Allow Action: - ecr-public:GetAuthorizationToken - sts:GetServiceBearerToken Resource: "*" - Effect: Allow Action: - ecr-public:CompleteLayerUpload - ecr-public:UploadLayerPart - ecr-public:InitiateLayerUpload - ecr-public:BatchCheckLayerAvailability - ecr-public:PutImage - ecr-public:TagResource Resource: !Sub arn:${AWS::Partition}:ecr-public::${AWS::AccountId}:repository/parallelcluster-ui - PolicyName: UploadS3Bucket PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - s3:PutObject - s3:GetObject - s3:ListBucket Resource: - !Sub arn:${AWS::Partition}:s3:::parallelcluster-ui-release-artifacts-us-east-1 - !Sub arn:${AWS::Partition}:s3:::parallelcluster-ui-release-artifacts-us-east-1/* - !Sub arn:${AWS::Partition}:s3:::parallelcluster-ui-release-artifacts-eu-west-1 - !Sub arn:${AWS::Partition}:s3:::parallelcluster-ui-release-artifacts-eu-west-1/* GithubOidc: Type: AWS::IAM::OIDCProvider Properties: Url: https://token.actions.githubusercontent.com ClientIdList: - sts.amazonaws.com ThumbprintList: - 6938fd4d98bab03faadb97b34396831e3780aea1 Outputs: ProductionDeploy: Value: !GetAtt ProductionDeploy.Arn