haven-secrets-core
Version:
Core for Haven, the easy to use centralized secrets manager.
124 lines (119 loc) • 3.12 kB
JavaScript
const createHavenAdminPolicy = (
AWS,
region,
accountNumber,
policyName,
keyArn,
path
) => {
const iam = new AWS.IAM();
const policy = {
Version: "2012-10-17",
Statement: [
{
Effect: "Allow",
Action: [
"dynamodb:Scan",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:DescribeTable",
"dynamodb:CreateTable",
"dynamodb:DeleteTable",
"dynamodb:UpdateItem",
],
Resource: `arn:aws:dynamodb:${region}:${accountNumber}:table/${path}*`,
},
{
Effect: "Allow",
Action: "dynamodb:ListTables",
Resource: `arn:aws:dynamodb:${region}:${accountNumber}:table/*`,
},
{
Effect: "Allow",
Action: [
"kms:Decrypt",
"kms:GenerateDataKey",
"kms:ScheduleKeyDeletion",
],
Resource: keyArn,
},
{
Effect: "Allow",
Action: ["kms:ListAliases"],
Resource: "*",
},
{
Effect: "Allow",
Action: [
"iam:CreatePolicy",
"iam:CreateGroup",
"iam:CreateRole",
"iam:CreateUser",
"iam:CreateAccessKey",
"iam:DeleteGroup",
"iam:DeleteRole",
"iam:DeleteUser",
"iam:DeletePolicy",
"iam:DeleteAccessKey",
"iam:DeleteGroupPolicy",
"iam:PutGroupPolicy",
"iam:GetGroupPolicy",
"iam:GetGroup",
"iam:GetUser",
"iam:AddUserToGroup",
"iam:TagUser",
"iam:PassRole",
"iam:ListUsers",
"iam:DetachRolePolicy",
"iam:AttachRolePolicy",
"iam:RemoveUserFromGroup",
"iam:ListGroupsForUser",
"iam:ListAccessKeys",
"iam:PutUserPolicy",
"iam:DeleteUserPolicy",
],
Resource: [
`arn:aws:iam::${accountNumber}:user/${path}*`,
`arn:aws:iam::${accountNumber}:role/${path}*`,
`arn:aws:iam::${accountNumber}:policy/${path}*`,
`arn:aws:iam::${accountNumber}:group/${path}*`,
],
},
{
Effect: "Allow",
Action: [
"cloudformation:CreateStack",
"cloudformation:DeleteStack",
"cloudformation:DescribeStacks",
],
Resource: [
`arn:aws:cloudformation:${region}:${accountNumber}:stack/${path}*`,
],
},
{
Effect: "Allow",
Action: ["cloudformation:ListStacks"],
Resource: ["*"],
},
{
Effect: "Allow",
Action: [
"lambda:GetFunction",
"lambda:CreateFunction",
"lambda:DeleteFunction",
],
Resource: [
`arn:aws:lambda:${region}:${accountNumber}:function:${path}*`,
],
},
],
};
const params = {
PolicyDocument: JSON.stringify(policy),
PolicyName: policyName,
Description: `Policy for Haven Admin permissions`,
Path: `/${path}/`,
};
return iam.createPolicy(params).promise();
};
export default createHavenAdminPolicy;