@@ -559,3 +559,95 @@ Resources:
559559 - !GetAtt GitHubCIRole.Arn
560560 - " arn:aws:iam::370957321024:role/GitHub-CI-MPL-Dafny-Role-us-west-2"
561561 Action : " sts:AssumeRole"
562+
563+ KMSHV1WithPrefixedRobbie :
564+ Type : " AWS::IAM::Role"
565+ Properties :
566+ RoleName : " KMS-HV1-With-Prefixed-Robbie"
567+ Description : " Restrict to Encryption Context that contains Robbie Is a Dog."
568+ Policies :
569+ - PolicyName : Prefix-Robbie-Must-Exist
570+ PolicyDocument :
571+ Version : " 2012-10-17"
572+ Statement :
573+ - Effect : Allow
574+ Action :
575+ - " kms:Decrypt"
576+ - " kms:Encrypt"
577+ - " kms:GenerateDataKeyWithoutPlaintext"
578+ - " kms:ReEncrypt*"
579+ Resource : " *"
580+ Condition :
581+ StringEquals :
582+ " kms:EncryptionContext:aws-crypto-ec:Robbie " " Is a Dog."
583+ AssumeRolePolicyDocument :
584+ Version : " 2012-10-17"
585+ Statement :
586+ - Effect : Allow
587+ Principal :
588+ Federated : !Sub "arn:aws:iam::${AWS::AccountId}:oidc-provider/token.actions.githubusercontent.com"
589+ Action : " sts:AssumeRoleWithWebIdentity"
590+ Condition :
591+ StringEquals :
592+ token.actions.githubusercontent.com:aud : " sts.amazonaws.com"
593+ StringLike :
594+ token.actions.githubusercontent.com:sub :
595+ - " repo:aws/private-aws-encryption-sdk-dafny-staging:*"
596+ - " repo:aws/aws-encryption-sdk-dafny:*"
597+ - " repo:aws/aws-cryptographic-material-providers-library:*"
598+ - " repo:aws/private-aws-cryptographic-material-providers-library-dafny-staging:*"
599+ - Effect : Allow
600+ Principal :
601+ AWS :
602+ - !Sub " arn:aws:iam::${AWS::AccountId}:role/ToolsDevelopment"
603+ - " arn:aws:iam::648638458147:role/AVP-14101"
604+ - !GetAtt GitHubCIRole.Arn
605+ - " arn:aws:iam::370957321024:role/GitHub-CI-MPL-Dafny-Role-us-west-2"
606+ Action : " sts:AssumeRole"
607+
608+ KMSHV2OnlyRobbie :
609+ Type : " AWS::IAM::Role"
610+ Properties :
611+ RoleName : " KMS-HV2-Robbie-Only"
612+ Description : " Restrict to only Encryption Context that IS Robbie Is a Dog."
613+ Policies :
614+ - PolicyName : Only-Robbie
615+ PolicyDocument :
616+ Version : " 2012-10-17"
617+ Statement :
618+ - Effect : Allow
619+ Action :
620+ - " kms:Decrypt"
621+ - " kms:Encrypt"
622+ - " kms:GenerateDataKey"
623+ Resource : " *"
624+ Condition :
625+ StringEquals :
626+ " kms:EncryptionContext:Robbie " " Is a Dog."
627+ ForAllValues:StringEquals :
628+ " kms:EncryptionContextKeys "
629+ - " Robbie"
630+ AssumeRolePolicyDocument :
631+ Version : " 2012-10-17"
632+ Statement :
633+ - Effect : Allow
634+ Principal :
635+ Federated : !Sub "arn:aws:iam::${AWS::AccountId}:oidc-provider/token.actions.githubusercontent.com"
636+ Action : " sts:AssumeRoleWithWebIdentity"
637+ Condition :
638+ StringEquals :
639+ token.actions.githubusercontent.com:aud : " sts.amazonaws.com"
640+ StringLike :
641+ token.actions.githubusercontent.com:sub :
642+ - " repo:aws/private-aws-encryption-sdk-dafny-staging:*"
643+ - " repo:aws/aws-encryption-sdk-dafny:*"
644+ - " repo:aws/aws-cryptographic-material-providers-library:*"
645+ - " repo:aws/private-aws-cryptographic-material-providers-library-dafny-staging:*"
646+ - Effect : Allow
647+ Principal :
648+ AWS :
649+ - !Sub " arn:aws:iam::${AWS::AccountId}:role/ToolsDevelopment"
650+ - " arn:aws:iam::648638458147:role/AVP-14101"
651+ - !GetAtt GitHubCIRole.Arn
652+ - " arn:aws:iam::370957321024:role/GitHub-CI-MPL-Dafny-Role-us-west-2"
653+ Action : " sts:AssumeRole"
0 commit comments