chore: allow ToolsDevelopment to Assume CI Role (#179)

Author: texastony

README.md

@@ -13,7 +13,9 @@ Integration tests are included. To test them, certain environment variables need
 * `AWS_REGION` - The region the AWS resources (KMS key, S3 bucket) resides e.g. "us-east-1"
 
 To create these resources, refer to the included CloudFormation template (cfn/S3EC-GitHub-CF-Template).
+The IAM Role `S3ECGithubTestRole` SHOULD BE manually customized by you.
 Make sure that the repo in the trust policy of the IAM role refers to your fork instead of the `aws` organization.
+Also, remove the `ToolsDevelopment` clause of the `S3ECGithubTestRole`'s `AssumeRolePolicyDocument`.
 **NOTE**: Your account may incur charges based on the usage of any resources beyond the AWS Free Tier.
 
 If you have forked this repo, there are additional steps required.

cfn/S3EC-GitHub-CF-Template renamed to cfn/S3EC-GitHub-CF-Template.yml

@@ -1,105 +1,110 @@
-AWSTemplateFormatVersion: 2010-09-09
-Resources:
-  S3ECGitHubKMSKeyID:
-    Type: 'AWS::KMS::Key'
-    Properties:
-      Description: KMS Key for GitHub Action Workflow
-      Enabled: true
-      KeyPolicy:
-        Version: 2012-10-17
-        Statement:
-          - Effect: Allow
-            Principal:
-              AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:root'
-            Action: 'kms:*'
-            Resource: '*'
-
-  S3ECGitHubKMSKeyAlias:
-    Type: 'AWS::KMS::Alias'
-    Properties:
-      AliasName: alias/S3EC-Github-KMS-Key
-      TargetKeyId: !Ref S3ECGitHubKMSKeyID
-
-  S3ECGitHubTestS3Bucket:
-    Type: 'AWS::S3::Bucket'
-    Properties:
-      BucketName: s3ec-github-test-bucket
-      LifecycleConfiguration:
-        Rules:
-          - Id: Expire in 14 days
-            Status: Enabled
-            ExpirationInDays: 14
-      PublicAccessBlockConfiguration:
-        BlockPublicAcls: false
-        BlockPublicPolicy: false
-        IgnorePublicAcls: false
-        RestrictPublicBuckets: false
-
-  S3ECGitHubS3BucketPolicy:
-    Type: 'AWS::IAM::ManagedPolicy'
-    Properties:
-      ManagedPolicyName: S3EC-GitHub-S3-Bucket-Policy
-      PolicyDocument:
-        Version: 2012-10-17
-        Statement:
-          - Effect: Allow
-            Action:
-              - 's3:PutObject'
-              - 's3:GetObject'
-              - 's3:DeleteObject'
-            Resource:
-              - !Join [ "", [ !GetAtt S3ECGitHubTestS3Bucket.Arn, '/*'] ]
-
-  S3ECGitHubKMSKeyPolicy:
-    Type: 'AWS::IAM::ManagedPolicy'
-    Properties:
-      PolicyDocument: !Sub |
-        {
-          "Version": "2012-10-17",
-          "Statement": [
-            {
-              "Effect": "Allow",
-              "Resource": [
-                "arn:aws:kms:*:${AWS::AccountId}:key/${S3ECGitHubKMSKeyID}",
-                "arn:aws:kms:*:${AWS::AccountId}:${S3ECGitHubKMSKeyAlias}"
-              ],
-              "Action": [
-                "kms:Decrypt",
-                "kms:GenerateDataKey",
-                "kms:GenerateDataKeyPair"
-              ]
-            }
-          ]
-        }
-      ManagedPolicyName: S3EC-GitHub-KMS-Key-Policy
-
-  S3ECGithubTestRole:
-    Type: 'AWS::IAM::Role'
-    Properties:
-      Path: /service-role/
-      RoleName: S3EC-GitHub-test-role
-      AssumeRolePolicyDocument: !Sub |
-        {
-          "Version": "2012-10-17",   
-          "Statement": [
-            {
-              "Effect": "Allow",
-              "Principal": { "Federated": "arn:aws:iam::${AWS::AccountId}:oidc-provider/token.actions.githubusercontent.com" },
-              "Action": "sts:AssumeRoleWithWebIdentity",
-              "Condition": {
-                  "StringEquals": {
-                    "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
-                  },
-                  "StringLike": {
-                    "token.actions.githubusercontent.com:sub": "repo:aws/amazon-s3-encryption-client-java:*"
-                  }
-               }
-            }
-          ]
-        }
-      Description: >-
-        Grant GitHub S3 put and get and KMS encrypt, decrypt, and generate access
-        for testing
-      ManagedPolicyArns:
-        - !Ref S3ECGitHubKMSKeyPolicy
-        - !Ref S3ECGitHubS3BucketPolicy
+AWSTemplateFormatVersion: 2010-09-09
+Resources:
+  S3ECGitHubKMSKeyID:
+    Type: 'AWS::KMS::Key'
+    Properties:
+      Description: KMS Key for GitHub Action Workflow
+      Enabled: true
+      KeyPolicy:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Principal:
+              AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:root'
+            Action: 'kms:*'
+            Resource: '*'
+
+  S3ECGitHubKMSKeyAlias:
+    Type: 'AWS::KMS::Alias'
+    Properties:
+      AliasName: alias/S3EC-Github-KMS-Key
+      TargetKeyId: !Ref S3ECGitHubKMSKeyID
+
+  S3ECGitHubTestS3Bucket:
+    Type: 'AWS::S3::Bucket'
+    Properties:
+      BucketName: s3ec-github-test-bucket
+      LifecycleConfiguration:
+        Rules:
+          - Id: Expire in 14 days
+            Status: Enabled
+            ExpirationInDays: 14
+      PublicAccessBlockConfiguration:
+        BlockPublicAcls: false
+        BlockPublicPolicy: false
+        IgnorePublicAcls: false
+        RestrictPublicBuckets: false
+
+  S3ECGitHubS3BucketPolicy:
+    Type: 'AWS::IAM::ManagedPolicy'
+    Properties:
+      ManagedPolicyName: S3EC-GitHub-S3-Bucket-Policy
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action:
+              - 's3:PutObject'
+              - 's3:GetObject'
+              - 's3:DeleteObject'
+            Resource:
+              - !Join [ "", [ !GetAtt S3ECGitHubTestS3Bucket.Arn, '/*'] ]
+
+  S3ECGitHubKMSKeyPolicy:
+    Type: 'AWS::IAM::ManagedPolicy'
+    Properties:
+      PolicyDocument: !Sub |
+        {
+          "Version": "2012-10-17",
+          "Statement": [
+            {
+              "Effect": "Allow",
+              "Resource": [
+                "arn:aws:kms:*:${AWS::AccountId}:key/${S3ECGitHubKMSKeyID}",
+                "arn:aws:kms:*:${AWS::AccountId}:${S3ECGitHubKMSKeyAlias}"
+              ],
+              "Action": [
+                "kms:Decrypt",
+                "kms:GenerateDataKey",
+                "kms:GenerateDataKeyPair"
+              ]
+            }
+          ]
+        }
+      ManagedPolicyName: S3EC-GitHub-KMS-Key-Policy
+
+  S3ECGithubTestRole:
+    Type: 'AWS::IAM::Role'
+    Properties:
+      Path: /service-role/
+      RoleName: S3EC-GitHub-test-role
+      AssumeRolePolicyDocument: !Sub |
+        {
+          "Version": "2012-10-17",   
+          "Statement": [
+            {
+              "Effect": "Allow",
+              "Principal": { "Federated": "arn:aws:iam::${AWS::AccountId}:oidc-provider/token.actions.githubusercontent.com" },
+              "Action": "sts:AssumeRoleWithWebIdentity",
+              "Condition": {
+                  "StringEquals": {
+                    "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
+                  },
+                  "StringLike": {
+                    "token.actions.githubusercontent.com:sub": "repo:aws/amazon-s3-encryption-client-java:*"
+                  }
+               }
+            },
+            {
+              "Effect": "Allow",
+              "Principal": { "AWS": "arn:aws:iam::${AWS::AccountId}:role/ToolsDevelopment" },
+              "Action": "sts:AssumeRole"
+            }
+          ]
+        }
+      Description: >-
+        Grant GitHub S3 put and get and KMS encrypt, decrypt, and generate access
+        for testing
+      ManagedPolicyArns:
+        - !Ref S3ECGitHubKMSKeyPolicy
+        - !Ref S3ECGitHubS3BucketPolicy