Page MenuHomePhabricator

[terraform] Add IAM policies for services-to-services token
ClosedPublic

Authored by bartek on Jun 20 2024, 1:14 AM.
Tags
None
Referenced Files
F3353850: D12505.diff
Sat, Nov 23, 11:32 AM
Unknown Object (File)
Sat, Nov 9, 5:11 AM
Unknown Object (File)
Fri, Nov 8, 2:05 PM
Unknown Object (File)
Fri, Nov 1, 2:26 PM
Unknown Object (File)
Sat, Oct 26, 8:31 AM
Unknown Object (File)
Thu, Oct 24, 7:03 PM
Unknown Object (File)
Oct 24 2024, 4:42 AM
Unknown Object (File)
Oct 12 2024, 1:26 PM
Subscribers

Details

Summary

Backup service was unable to get services-to-services token for unauthenticated endpoints (latest backup), due to:

User: arn:aws:sts::************:assumed-role/backup-service-role/************ is not authorized to perform: secretsmanager:GetSecretValue on resource: servicesToken because no identity-based policy allows the secretsmanager:GetSecretValue action

Added proper IAM policy that allows reading the secret by services.

Depends on D12504

Test Plan

Applied this on staging and confirmed that the issue is gone

Diff Detail

Repository
rCOMM Comm
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

bartek held this revision as a draft.
bartek published this revision for review.Jun 20 2024, 1:30 AM
bartek added inline comments.
services/terraform/remote/aws_iam.tf
114–125 ↗(On Diff #41542)

Policy document taken from the docs (the Allow read access to specific secrets in AWS Secrets Manager section). I limited it a bit more (we don't need ability to list secrets)

This revision is now accepted and ready to land.Jun 20 2024, 3:39 AM