Page MenuHomePhabricator

[terraform] Add IAM policies for services-to-services token
ClosedPublic

Authored by bartek on Jun 20 2024, 1:14 AM.
Tags
None
Referenced Files
Unknown Object (File)
Mon, Dec 16, 7:21 PM
Unknown Object (File)
Mon, Dec 16, 7:21 PM
Unknown Object (File)
Mon, Dec 16, 7:21 PM
Unknown Object (File)
Mon, Dec 16, 7:06 PM
Unknown Object (File)
Nov 23 2024, 1:44 PM
Unknown Object (File)
Nov 23 2024, 11:32 AM
Unknown Object (File)
Nov 9 2024, 5:11 AM
Unknown Object (File)
Nov 8 2024, 2:05 PM
Subscribers

Details

Summary

Backup service was unable to get services-to-services token for unauthenticated endpoints (latest backup), due to:

User: arn:aws:sts::************:assumed-role/backup-service-role/************ is not authorized to perform: secretsmanager:GetSecretValue on resource: servicesToken because no identity-based policy allows the secretsmanager:GetSecretValue action

Added proper IAM policy that allows reading the secret by services.

Depends on D12504

Test Plan

Applied this on staging and confirmed that the issue is gone

Diff Detail

Repository
rCOMM Comm
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

bartek held this revision as a draft.
bartek published this revision for review.Jun 20 2024, 1:30 AM
bartek added inline comments.
services/terraform/remote/aws_iam.tf
114–125 ↗(On Diff #41542)

Policy document taken from the docs (the Allow read access to specific secrets in AWS Secrets Manager section). I limited it a bit more (we don't need ability to list secrets)

This revision is now accepted and ready to land.Jun 20 2024, 3:39 AM