artilleryio
diff --git a/‎packages/artillery/lib/platform/aws/iam-cf-templates/gh-oidc-lambda.yml
-153 b/‎packages/artillery/lib/platform/aws/iam-cf-templates/gh-oidc-lambda.yml
-153
diff --git a/‎packages/artillery/lib/platform/aws/iam-cf-templates/gh-oidc-fargate.yml renamed to ‎packages/artillery/lib/platform/aws/iam-cf-templates/github-oidc.yml
+65-8 b/‎packages/artillery/lib/platform/aws/iam-cf-templates/gh-oidc-fargate.yml renamed to ‎packages/artillery/lib/platform/aws/iam-cf-templates/github-oidc.yml
+65-8
@@ -1,5 +1,5 @@
 AWSTemplateFormatVersion: '2010-09-09'
-Description: Creates an ArtilleryGitHubOIDCForFargateRole IAM role with permissions needed to run Artillery Fargate tests from a specified GitHub repository. An OIDC identity provider for Github will also be created if it is not already present in the account.
+Description: Sets up IAM resources needed to trigger Artillery distributed tests (on AWS Fargate/Lambda) from a specified GitHub repository. Uses OpenID Connect (OIDC) to authenticate requests from GitHub.
 Metadata:
   AWS::CloudFormation::Interface:
     ParameterGroups:
@@ -19,13 +19,13 @@ Metadata:
       GitHubBranch:
         default: "GitHub branch"
       GitHubOIDCProviderExists:
-        default: "GitHub OIDC identity provider already created for the account?"
+        default: "Is GitHub OIDC identity provider already created for the account?"
 
 Parameters:
   GitHubRepository:
     Type: String
     Default: ""
-    Description: The GitHub repository (orgname/reponame) to be allowed to assume the created IAM role using OIDC (e.g. "artilleryio/artillery").
+    Description: The GitHub repository ("GitHubOrganizationOrUser/GitHubRepository") to be allowed to assume the created IAM role using OIDC (e.g. "artilleryio/artillery").
 
   GitHubBranch:
     Type: String
@@ -38,7 +38,8 @@ Parameters:
     AllowedValues:
       - 'Yes'
       - 'No'
-    Description: This will let CloudFormation know whether it needs to create the provider. (If it exists, can be found at Services -> IAM -> Identity providers as 'token.actions.githubusercontent.com').
+    Description: This will let CloudFormation know whether it needs to create the OIDC identity provider for GitHub. (If it exists, can be found at IAM > Identity providers).
+
 
 Conditions:
   IsGHRepoSet:
@@ -56,12 +57,12 @@ Resources:
       ClientIdList:
         - "sts.amazonaws.com"
       ThumbprintList:
-        - "6938fd4d98bab03faadb97b34396831e3780ee11"
+        - "6938fd4d98bab03faadb97b34396831e3780aea1"
 
-  ArtilleryGitHubOIDCForFargateRole:
+  ArtilleryGitHubOIDCRole:
     Type: "AWS::IAM::Role"
     Properties:
-      RoleName: "ArtilleryGitHubOIDCForFargateRole"
+      RoleName: "ArtilleryGitHubOIDCRole"
       AssumeRolePolicyDocument:
         Version: "2012-10-17"
         Statement:
@@ -228,12 +229,68 @@ Resources:
                   - "ec2:DescribeSubnets"
                 Resource: "*"
 
+        - PolicyName: ArtilleryDistributedTestingLambdaPolicy
+          PolicyDocument:
+            Version: "2012-10-17"
+            Statement:
+              - Sid: CreateOrGetLambdaRole
+                Effect: Allow
+                Action:
+                  - iam:CreateRole
+                  - iam:GetRole
+                  - iam:PassRole
+                  - iam:AttachRolePolicy
+                Resource: !Sub "arn:aws:iam::${AWS::AccountId}:role/artilleryio-default-lambda-role-*"
+              - Sid: CreateLambdaPolicy
+                Effect: Allow
+                Action:
+                  - iam:CreatePolicy
+                Resource: !Sub "arn:aws:iam::${AWS::AccountId}:policy/artilleryio-lambda-policy-*"
+              - Sid: SQSPermissions
+                Effect: Allow
+                Action:
+                  - sqs:*
+                Resource: !Sub "arn:aws:sqs:*:${AWS::AccountId}:artilleryio*"
+              - Sid: SQSListQueues
+                Effect: Allow
+                Action:
+                  - sqs:ListQueues
+                Resource: "*"
+              - Sid: LambdaPermissions
+                Effect: Allow
+                Action:
+                  - lambda:InvokeFunction
+                  - lambda:CreateFunction
+                  - lambda:DeleteFunction
+                  - lambda:GetFunctionConfiguration
+                Resource: !Sub "arn:aws:lambda:*:${AWS::AccountId}:function:artilleryio-*"
+              - Sid: EcrPullImagePermissions
+                Effect: Allow
+                Action:
+                  - ecr:GetDownloadUrlForLayer
+                  - ecr:BatchGetImage
+                Resource: "arn:aws:ecr:*:248481025674:repository/artillery-worker"
+              - Sid: S3Permissions
+                Effect: Allow
+                Action:
+                  - s3:CreateBucket
+                  - s3:DeleteObject
+                  - s3:GetObject
+                  - s3:PutObject
+                  - s3:ListBucket
+                  - s3:GetLifecycleConfiguration
+                  - s3:PutLifecycleConfiguration
+                Resource:
+                  - !Sub "arn:aws:s3:::artilleryio-test-data-*"
+                  - !Sub "arn:aws:s3:::artilleryio-test-data-*/*"
+
+
 Outputs:
   RoleArn:
     Description: "ARN of the created IAM Role"
     Value:
       Fn::GetAtt:
-        - "ArtilleryGitHubOIDCForFargateRole"
+        - "ArtilleryGitHubOIDCRole"
         - "Arn"
   OIDCProviderArn:
     Condition: CreateOIDCProvider