Skip to content

Commit 6754dee

Browse files
brucehoffbrucehoff
committed
PLFM-9253: Allow code pipeline roles to access synapse dev KMS key
1 parent 0b05b58 commit 6754dee

File tree

1 file changed

+4
-15
lines changed

1 file changed

+4
-15
lines changed

sceptre/synapsedev/templates/SynapseCMK-template.json

Lines changed: 4 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -325,7 +325,9 @@
325325
{ "Fn::ImportValue": "us-east-1-accounts-AWSIAMAdminRoleArn" },
326326
{ "Fn::GetAtt": [ "SynapseDeploymentRole", "Arn" ] },
327327
{ "Fn::Sub": "arn:aws:iam::${AWS::AccountId}:role/sagebase-github-oidc-sage-bionetworks-it" },
328-
{ "Fn::Sub": "arn:aws:iam::${AWS::AccountId}:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_Administrator_693a85eb20cd5043" }
328+
{ "Fn::Sub": "arn:aws:iam::${AWS::AccountId}:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_Administrator_693a85eb20cd5043" },
329+
{ "Fn::Sub": "arn:aws:iam::${AWS::AccountId}:role/Synapse-Build-*-CodeBuildServiceRole" },
330+
{ "Fn::Sub": "arn:aws:iam::${AWS::AccountId}:role/Deployment-Pipeline-CodeBuildServiceRole" }
329331
]
330332
}
331333
}
@@ -334,20 +336,7 @@
334336
"Sid": "Allow root administration of the key",
335337
"Effect": "Allow",
336338
"Principal": {
337-
"AWS": [
338-
{
339-
"Fn::GetAtt": [
340-
"SynapseDeploymentRole",
341-
"Arn"
342-
]
343-
},
344-
{
345-
"Fn::ImportValue": "us-east-1-accounts-AWSIAMAdminRoleArn"
346-
},
347-
{ "Fn::Sub": "arn:aws:iam::${AWS::AccountId}:root" },
348-
{ "Fn::Sub": "arn:aws:iam::${AWS::AccountId}:role/sagebase-github-oidc-sage-bionetworks-it" },
349-
{ "Fn::Sub": "arn:aws:iam::${AWS::AccountId}:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_Administrator_693a85eb20cd5043" }
350-
]
339+
"AWS": "*"
351340
},
352341
"Action": [
353342
"kms:*"

0 commit comments

Comments
 (0)