[terraform] Add IAM policies for services-to-services token
d6daa18521bf
Actions

Description

[terraform] Add IAM policies for services-to-services token

Summary:
Backup service was unable to get services-to-services token for unauthenticated endpoints (latest backup), due to:

User: arn:aws:sts::************:assumed-role/backup-service-role/************ is not authorized to perform: secretsmanager:GetSecretValue on resource: servicesToken because no identity-based policy allows the secretsmanager:GetSecretValue action

Added proper IAM policy that allows reading the secret by services.

Depends on D12504

Test Plan: Applied this on staging and confirmed that the issue is gone

Reviewers: kamil, will

Reviewed By: kamil

Subscribers: ashoat, tomek

Differential Revision: https://phab.comm.dev/D12505

Details

Provenance

bartek

Authored on Jun 20 2024, 1:05 AM

Reviewer

kamil

Differential Revision

D12505: [terraform] Add IAM policies for services-to-services token

Parents

rCOMM44ecf8804a94: [backup] Hotfix Blob service client auth

Branches

Unknown

Tags

Unknown

Event Timeline

bartek committed rCOMMd6daa18521bf: [terraform] Add IAM policies for services-to-services token (authored by bartek).Jun 20 2024, 4:52 AM

bartek added an edge: D12505: [terraform] Add IAM policies for services-to-services token.

Changes (1)

Path

Size

services/

terraform/

remote/

aws_iam.tf

rCOMMd6daa18521bf

View Options

services/terraform/remote/aws_iam.tf