[terraform] Add IAM policies for services-to-services token
ClosedPublic
Actions

Authored by bartek on Jun 20 2024, 1:14 AM.

Details

Reviewers

kamil
will

Commits

rCOMMd6daa18521bf: [terraform] Add IAM policies for services-to-services token

Summary

Backup service was unable to get services-to-services token for unauthenticated endpoints (latest backup), due to:

User: arn:aws:sts::************:assumed-role/backup-service-role/************ is not authorized to perform: secretsmanager:GetSecretValue on resource: servicesToken because no identity-based policy allows the secretsmanager:GetSecretValue action

Added proper IAM policy that allows reading the secret by services.

Depends on D12504

Test Plan

Applied this on staging and confirmed that the issue is gone

Diff Detail

Repository

rCOMM Comm

Lint

No Lint Coverage

Unit

No Test Coverage

Event Timeline

bartek created this revision.Jun 20 2024, 1:14 AM

bartek held this revision as a draft.

Herald added subscribers: tomek, ashoat. · View Herald TranscriptJun 20 2024, 1:14 AM

bartek published this revision for review.Jun 20 2024, 1:30 AM

bartek added inline comments.

services/terraform/remote/aws_iam.tf
114–125	Policy document taken from the docs (the Allow read access to specific secrets in AWS Secrets Manager section). I limited it a bit more (we don't need ability to list secrets)