private Role CreateBuildRole() { Role role = IamUtil.CreateRole( "WakerUpperBuild", "codebuild.amazonaws.com", "arn:aws:iam::aws:policy/AWSCodeBuildAdminAccess"); // add permissions not covered by the managed policies Output <GetPolicyDocumentResult> policyDocument = Output.Create(GetPolicyDocument.InvokeAsync(new GetPolicyDocumentArgs { Statements = { new GetPolicyDocumentStatementArgs { Resources ={ "*" }, Actions = { "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", "s3:GetObject", "s3:GetObjectVersion", "s3:PutObject", }, } } })); RolePolicy policy = new RolePolicy("WakerUpperBuilder", new RolePolicyArgs { Role = role.Id, Policy = policyDocument.Apply(p => p.Json), }); return(role); }
public static Role CreateRole(string name, string principal, params string[] managedPolicyArns) { Output <GetPolicyDocumentResult> policyDocument = Output.Create(GetPolicyDocument.InvokeAsync(new GetPolicyDocumentArgs { Statements = { new GetPolicyDocumentStatementArgs { Actions = { "sts:AssumeRole" }, Principals = { new GetPolicyDocumentStatementPrincipalArgs { Type = "Service", Identifiers ={ principal }, } } } } })); Role role = new Role(name, new RoleArgs { AssumeRolePolicy = policyDocument.Apply(p => p.Json), Path = "/", }); foreach (string policyArn in managedPolicyArns) { RolePolicyAttachment attachment = new RolePolicyAttachment($"{name}Attachment", new RolePolicyAttachmentArgs { Role = role.Name, PolicyArn = policyArn, }); } return(role); }