Page MenuHomePhabricator

[terraform] Add IAM policies for services-to-services token
ClosedPublic

Authored by bartek on Jun 20 2024, 1:14 AM.
Tags
None
Referenced Files
Unknown Object (File)
Sat, Nov 23, 1:44 PM
Unknown Object (File)
Sat, Nov 23, 11:32 AM
Unknown Object (File)
Sat, Nov 9, 5:11 AM
Unknown Object (File)
Fri, Nov 8, 2:05 PM
Unknown Object (File)
Fri, Nov 1, 2:26 PM
Unknown Object (File)
Oct 26 2024, 8:31 AM
Unknown Object (File)
Oct 24 2024, 7:03 PM
Unknown Object (File)
Oct 24 2024, 4:42 AM
Subscribers

Details

Summary

Backup service was unable to get services-to-services token for unauthenticated endpoints (latest backup), due to:

User: arn:aws:sts::************:assumed-role/backup-service-role/************ is not authorized to perform: secretsmanager:GetSecretValue on resource: servicesToken because no identity-based policy allows the secretsmanager:GetSecretValue action

Added proper IAM policy that allows reading the secret by services.

Depends on D12504

Test Plan

Applied this on staging and confirmed that the issue is gone

Diff Detail

Repository
rCOMM Comm
Lint
No Lint Coverage
Unit
No Test Coverage

Event Timeline

bartek held this revision as a draft.
bartek published this revision for review.Jun 20 2024, 1:30 AM
bartek added inline comments.
services/terraform/remote/aws_iam.tf
114–125

Policy document taken from the docs (the Allow read access to specific secrets in AWS Secrets Manager section). I limited it a bit more (we don't need ability to list secrets)

This revision is now accepted and ready to land.Jun 20 2024, 3:39 AM