创建4个信任角色的IAM ROLE,用于服务内使用的角色
Resources:
datalakeLambdaRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- 'sts:AssumeRole'
Description: Role to provide access to Lambda
Policies:
- PolicyName: EmbeddedInlinePolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action: 'cloudformation:*'
Resource: '*'
ManagedPolicyArns:
- arn:aws-cn:iam::aws:policy/AWSStepFunctionsConsoleFullAccess
- arn:aws-cn:iam::aws:policy/AWSStepFunctionsFullAccess
- arn:aws-cn:iam::aws:policy/AmazonSNSFullAccess
- arn:aws-cn:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
- arn:aws-cn:iam::aws:policy/CloudWatchEventsFullAccess
- arn:aws-cn:iam::aws:policy/AWSStepFunctionsReadOnlyAccess
- arn:aws-cn:iam::aws:policy/AWSLambda_FullAccess
RoleName: datalakeLambdaRole
datalakeGlueRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service:
- glue.amazonaws.com
Action:
- 'sts:AssumeRole'
Description: Role to provide access glue
Policies:
- PolicyName: EmbeddedInlinePolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action: 'cloudformation:*'
Resource: '*'
ManagedPolicyArns:
- arn:aws-cn:iam::aws:policy/AmazonS3FullAccess
- arn:aws-cn:iam::aws:policy/AmazonRedshiftFullAccess
- arn:aws-cn:iam::aws:policy/AmazonSNSFullAccess
- arn:aws-cn:iam::aws:policy/service-role/AWSGlueServiceRole
- arn:aws-cn:iam::aws:policy/AmazonRedshiftDataFullAccess
- arn:aws-cn:iam::aws:policy/AmazonAthenaFullAccess
RoleName: datalakeGlueRole
datalakeStepfunctionRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service:
- states.amazonaws.com
Action:
- 'sts:AssumeRole'
Description: Role to provide access
Policies:
- PolicyName: EmbeddedInlinePolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action: 'cloudformation:*'
Resource: '*'
ManagedPolicyArns:
- arn:aws-cn:iam::aws:policy/AmazonElasticMapReduceFullAccess
- arn:aws-cn:iam::aws:policy/service-role/AWSLambdaRole
- arn:aws-cn:iam::aws:policy/AWSLambda_FullAccess
RoleName: datalakeStepfunctionRole