# @@@ IAM Role Helper Template # Challenge Name: Mastering DynamoDB Indexes # Challenge ID: 131 # Version: 1.0.3 # Author: The Ooggi Team (https://ooggi.com) # # Description: # # Once deployed, this CloudFormation template allows the Ooggi test environment to # interact with the practitioner's AWS account. # The IAM role trust policy restricts access to the Ooggi test environment. # The IAM policy allows for a limited subset of API calls, that are further restricted to specific resource names. # When the Ooggi test for the relevant challenge is executed, temporary credentials are generated, # based on the permissions associated with the IAM Role. --- AWSTemplateFormatVersion: '2010-09-09' Parameters: ChallengeID: Type: String Default: 131 AllowedValues: - 131 Description: Static parameter for Challenge ID. ChallengeResourcePrefix: Type: String Default: ooggi-r- AllowedValues: - ooggi-r- Description: Static Prefix for challenge resources AWSRegionForChallengeResources: Type: String Default: eu-west-1 AllowedValues: - eu-west-1 Description: The AWS region based on the challenge requirements Resources: IAMRoleForTest: Type: AWS::IAM::Role Properties: RoleName: Fn::Join: - '' - - Ref: ChallengeResourcePrefix - Ref: ChallengeID - '-test-role' AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: AWS: - arn:aws:iam::840549777791:root #Ooggi Test environmet account #1 - arn:aws:iam::323337194180:root #Ooggi Test environmet account #2 - Fn::Join: #The practitioner's AWS account is also allowed to assume the IAM role. - '' - - 'arn:aws:iam::' - Ref: AWS::AccountId - ':root' Action: - sts:AssumeRole Path: "/" Policies: - PolicyName: root PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - dynamodb:DescribeTable - dynamodb:Scan Resource: - Fn::Join: - '' - - 'arn:aws:dynamodb:' - Ref: AWSRegionForChallengeResources - ':' - Ref: AWS::AccountId - ':table/' - Ref: ChallengeResourcePrefix - '*' Outputs: IAMRoleForTestArn: Value: Fn::GetAtt: - IAMRoleForTest - Arn Description: 'ARN of the IAM Role to be used for the remote test' AssumeRoleHelper: Value: Fn::Join: - '' - - 'aws sts assume-role --role-arn ' - Fn::GetAtt: - IAMRoleForTest - Arn - " --role-session-name test --duration-seconds 3600" Description: AWS CLI IAM Assume Role helper command. Useful if you'd like to work directly with the temporary credentials