AWSTemplateFormatVersion: '2010-09-09' Metadata: License: Apache-2.0 Description: 'Sample cloudformation template that creates default Greengrass provisioning resources.' Resources: GreengrassProvisioningUser: Type: AWS::IAM::User S3Bucket: Type: AWS::S3::Bucket Properties: BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: AES256 VersioningConfiguration: Status: Enabled GreengrassProvisioningUserGroup: Type: AWS::IAM::Group Users: Type: AWS::IAM::UserToGroupAddition Properties: GroupName: !Ref 'GreengrassProvisioningUserGroup' Users: [!Ref 'GreengrassProvisioningUser'] GreengrassTokenExchangeRole: Type: AWS::IAM::Role Properties: RoleName: "GreengrassV2TokenExchangeRole" AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Principal: Service: - credentials.iot.amazonaws.com Action: - 'sts:AssumeRole' RobotPolicy: Type: AWS::IAM::Policy Properties: PolicyName: RobotPolicy PolicyDocument: Statement: - Effect: Allow Action: [ "s3:ListBucket" ] Resource: !Join ["",[ "arn:aws:s3:::", !Ref S3Bucket ] ] - Effect: Allow Action: [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject" ] Resource: !Join ["",["arn:aws:s3:::", !Ref S3Bucket,"/*"] ] - Effect: Allow Action: [ "ecr:GetAuthorizationToken", "ecr:BatchGetImage", "ecr:GetDownloadUrlForLayer" ] Resource: '*' - Effect: Allow Action: [ "greengrass:" ] Resource: '*' - Effect: Allow Action: [ "iot:" ] Resource: '*' Roles: [ !Ref 'GreengrassTokenExchangeRole' ] GreengrassTokenPolicy: Type: AWS::IAM::Policy Properties: PolicyName: GreengrassTokenExchangePolicy PolicyDocument: Statement: - Effect: Allow Action: [ "iot:DescribeCertificate", "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", "logs:DescribeLogStreams", "iot:Connect", "iot:Publish", "iot:Subscribe", "iot:Receive", "s3:GetBucketLocation" ] Resource: '*' Roles: [ !Ref 'GreengrassTokenExchangeRole' ] GreengrassProvisioningUserPolicies: Type: AWS::IAM::Policy Properties: PolicyName: GreengrassProvisioningUsers PolicyDocument: Statement: - Effect: Allow Action: [ "iot:AddThingToThingGroup", "iot:AttachPolicy", "iot:AttachThingPrincipal", "iot:CreateKeysAndCertificate", "iot:CreatePolicy", "iot:CreateRoleAlias", "iot:CreateThing", "iot:CreateThingGroup", "iot:DescribeEndpoint", "iot:DescribeRoleAlias", "iot:DescribeThingGroup", "iot:GetPolicy", "iam:GetRole", "iam:CreateRole", "iam:PassRole", "iam:CreatePolicy", "iam:AttachRolePolicy", "iam:GetPolicy", "sts:GetCallerIdentity" ] Resource: '*' - Effect: Allow Action: [ "greengrass:CreateDeployment", "iot:CancelJob", "iot:CreateJob", "iot:DeleteThingShadow", "iot:DescribeJob", "iot:DescribeThing", "iot:DescribeThingGroup", "iot:GetThingShadow", "iot:UpdateJob", "iot:UpdateThingShadow" ] Resource: '*' Groups: [!Ref 'GreengrassProvisioningUserGroup'] Outputs: UserName: Value: !Ref GreengrassProvisioningUser Description: User name for the provisioning user. S3BucketName: Value: !Ref S3Bucket Description: S3 bucket to upload assets to.