AWS cloudformation 简单IAM ROLE

创建4个信任角色的IAM ROLE，用于服务内使用的角色

• lambda角色 datalakeLambdaRole
• glue角色 datalakeGlueRole
• step functions角色 datalakeStepfunctionRole

Resources:
  datalakeLambdaRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - lambda.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      Description: Role to provide access to Lambda
      Policies:
        - PolicyName: EmbeddedInlinePolicy
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action: 'cloudformation:*'
                Resource: '*'
      ManagedPolicyArns: 
        - arn:aws-cn:iam::aws:policy/AWSStepFunctionsConsoleFullAccess
        - arn:aws-cn:iam::aws:policy/AWSStepFunctionsFullAccess
        - arn:aws-cn:iam::aws:policy/AmazonSNSFullAccess
        - arn:aws-cn:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
        - arn:aws-cn:iam::aws:policy/CloudWatchEventsFullAccess
        - arn:aws-cn:iam::aws:policy/AWSStepFunctionsReadOnlyAccess
        - arn:aws-cn:iam::aws:policy/AWSLambda_FullAccess
      RoleName: datalakeLambdaRole

  datalakeGlueRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - glue.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      Description: Role to provide access glue
      Policies:
        - PolicyName: EmbeddedInlinePolicy
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action: 'cloudformation:*'
                Resource: '*'
      ManagedPolicyArns: 
        - arn:aws-cn:iam::aws:policy/AmazonS3FullAccess
        - arn:aws-cn:iam::aws:policy/AmazonRedshiftFullAccess
        - arn:aws-cn:iam::aws:policy/AmazonSNSFullAccess
        - arn:aws-cn:iam::aws:policy/service-role/AWSGlueServiceRole
        - arn:aws-cn:iam::aws:policy/AmazonRedshiftDataFullAccess
        - arn:aws-cn:iam::aws:policy/AmazonAthenaFullAccess
      RoleName: datalakeGlueRole
      
  datalakeStepfunctionRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - states.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      Description: Role to provide access
      Policies:
        - PolicyName: EmbeddedInlinePolicy
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action: 'cloudformation:*'
                Resource: '*'
      ManagedPolicyArns:
        - arn:aws-cn:iam::aws:policy/AmazonElasticMapReduceFullAccess
        - arn:aws-cn:iam::aws:policy/service-role/AWSLambdaRole
        - arn:aws-cn:iam::aws:policy/AWSLambda_FullAccess
      RoleName: datalakeStepfunctionRole