Include TagSession privilege for assumed roles. (#189)

jgadling · web-flow · commit e2c9d0b59655 · 2020-05-01T08:54:14.000-07:00
Add privileges to be compatible with GitHub AWS Auth action
diff --git a/aws-iam-group-assume-role/main.tf b/aws-iam-group-assume-role/main.tf
@@ -26,7 +26,7 @@ data "aws_iam_policy_document" "assume-role" {
   statement {
     sid       = "assume0"
     resources = local.account_arns
-    actions   = ["sts:AssumeRole"]
+    actions   = ["sts:AssumeRole", "sts:TagSession"]
   }
 }
 
diff --git a/aws-iam-role-crossacct/main.tf b/aws-iam-role-crossacct/main.tf
@@ -6,7 +6,7 @@ data "aws_iam_policy_document" "assume-role" {
         type        = "AWS"
         identifiers = ["arn:aws:iam::${statement.value}:root"]
       }
-      actions = ["sts:AssumeRole"]
+      actions = ["sts:AssumeRole", "sts:TagSession"]
     }
   }
 
@@ -17,7 +17,7 @@ data "aws_iam_policy_document" "assume-role" {
         type        = "AWS"
         identifiers = ["arn:aws:iam::${statement.value}:root"]
       }
-      actions = ["sts:AssumeRole"]
+      actions = ["sts:AssumeRole", "sts:TagSession"]
     }
   }
 
@@ -29,7 +29,7 @@ data "aws_iam_policy_document" "assume-role" {
         identifiers = [statement.value]
       }
 
-      actions = ["sts:AssumeRoleWithSAML"]
+      actions = ["sts:AssumeRoleWithSAML", "sts:TagSession"]
 
       condition {
         test     = "StringEquals"
@@ -49,7 +49,7 @@ data "aws_iam_policy_document" "assume-role" {
         identifiers = [oidc.value["idp_arn"]]
       }
 
-      actions = ["sts:AssumeRoleWithWebIdentity"]
+      actions = ["sts:AssumeRoleWithWebIdentity", "sts:TagSession"]
       condition {
         test     = "StringEquals"
         variable = "${oidc.value["provider"]}:aud"

Original file line number	Diff line number	Diff line change
`@@ -26,7 +26,7 @@ data "aws_iam_policy_document" "assume-role" {`
`26`	`26`	`statement {`
`27`	`27`	`sid = "assume0"`
`28`	`28`	`resources = local.account_arns`
`29`		`- actions = ["sts:AssumeRole"]`
	`29`	`+ actions = ["sts:AssumeRole", "sts:TagSession"]`
`30`	`30`	`}`
`31`	`31`	`}`
`32`	`32`
Original file line number	Diff line number	Diff line change
`@@ -6,7 +6,7 @@ data "aws_iam_policy_document" "assume-role" {`
`6`	`6`	`type = "AWS"`
`7`	`7`	`identifiers = ["arn:aws:iam::${statement.value}:root"]`
`8`	`8`	`}`
`9`		`- actions = ["sts:AssumeRole"]`
	`9`	`+ actions = ["sts:AssumeRole", "sts:TagSession"]`
`10`	`10`	`}`
`11`	`11`	`}`
`12`	`12`
`@@ -17,7 +17,7 @@ data "aws_iam_policy_document" "assume-role" {`
`17`	`17`	`type = "AWS"`
`18`	`18`	`identifiers = ["arn:aws:iam::${statement.value}:root"]`
`19`	`19`	`}`
`20`		`- actions = ["sts:AssumeRole"]`
	`20`	`+ actions = ["sts:AssumeRole", "sts:TagSession"]`
`21`	`21`	`}`
`22`	`22`	`}`
`23`	`23`
`@@ -29,7 +29,7 @@ data "aws_iam_policy_document" "assume-role" {`
`29`	`29`	`identifiers = [statement.value]`
`30`	`30`	`}`
`31`	`31`
`32`		`- actions = ["sts:AssumeRoleWithSAML"]`
	`32`	`+ actions = ["sts:AssumeRoleWithSAML", "sts:TagSession"]`
`33`	`33`
`34`	`34`	`condition {`
`35`	`35`	`test = "StringEquals"`
`@@ -49,7 +49,7 @@ data "aws_iam_policy_document" "assume-role" {`
`49`	`49`	`identifiers = [oidc.value["idp_arn"]]`
`50`	`50`	`}`
`51`	`51`
`52`		`- actions = ["sts:AssumeRoleWithWebIdentity"]`
	`52`	`+ actions = ["sts:AssumeRoleWithWebIdentity", "sts:TagSession"]`
`53`	`53`	`condition {`
`54`	`54`	`test = "StringEquals"`
`55`	`55`	`variable = "${oidc.value["provider"]}:aud"`