Use inline policy to allow assuming cdk* roles

xschildw · xschildw · commit f16de2ca1bc4 · 2024-11-11T13:00:05.000-08:00
diff --git a/org-formation/650-identity-providers/_tasks.yaml b/org-formation/650-identity-providers/_tasks.yaml
@@ -836,8 +836,18 @@ GithubOidcNbConvertDeploy:
     ProviderArn: !CopyValue [ !Sub '${resourcePrefix}-${appName}-ProviderArn' ]
     ProviderRoleName: !Sub ${resourcePrefix}-${appName}-nbconvert-deploy
     MaxSessionDuration: 7200
-    ManagedPolicyArns:
-      - "arn:aws:iam::${AWS::AccountId}:policy/cdk-assume-role-policy"
+    PolicyDocument: !Sub |
+      {
+          "Version": "2012-10-17",
+          "Statement": [
+              {
+                  "Sid": "AssumeRoleStatement",
+                  "Effect": "Allow",
+                  "Action": "sts:AssumeRole",
+                  "Resource": "arn:aws:iam::${AWS::AccountId}:role/cdk-*-role-*-us-east-1"
+              }
+          ]
+      }
   TemplatingContext:
     GitHubOrg: "Sage-Bionetworks"
     Repositories:
