Metadata: Rok::StackName: {{AWS_CF_S3_RESOURCES}} Resources: RokS3Role: Type: AWS::IAM::Role Properties: RoleName: {{AWS_S3_ROLE}} AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: sts:AssumeRoleWithWebIdentity Principal: Federated: arn:aws:iam::{{AWS_ACCOUNT_ID}}:oidc-provider/{{EKS_CLUSTER_OIDC}} Condition: StringEquals: {{EKS_CLUSTER_OIDC}}:sub: system:serviceaccount:{{ROK_CLUSTER_NAMESPACE}}:{{ROK_CLUSTER_NAME}} ManagedPolicyArns: - Ref: RokS3Policy RokS3Policy: Type: AWS::IAM::ManagedPolicy Properties: {%- if ROK_CLUSTER_NAMESPACE != "rok" or ROK_CLUSTER_NAME != "rok" %} ManagedPolicyName: rok-{{AWS_DEFAULT_REGION}}-{{EKS_CLUSTER}}-{{ROK_CLUSTER_NAMESPACE}}-{{ROK_CLUSTER_NAME}} {%- else %} ManagedPolicyName: rok-{{AWS_DEFAULT_REGION}}-{{EKS_CLUSTER}} {%- endif %} PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: s3:* Resource: - arn:aws:s3:::{{AWS_S3_BUCKET_PREFIX}}-* - arn:aws:s3:::{{AWS_S3_BUCKET_PREFIX}}-*/*