Metadata: Rok::StackName: Resources: FluentBitRole: Type: AWS::IAM::Role Description: Fluent Bit Role Properties: RoleName: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: sts:AssumeRoleWithWebIdentity Principal: Federated: arn:aws:iam:::oidc-provider/ Condition: StringEquals: :sub: system:serviceaccount:amazon-cloudwatch:fluent-bit ManagedPolicyArns: - !Sub "arn:${AWS::Partition}:iam::aws:policy/CloudWatchAgentServerPolicy"