From d6d197e90c1cba8b32ff0dbc2c89a1e056b499d9 Mon Sep 17 00:00:00 2001 From: Simon Kok Date: Fri, 24 May 2024 20:35:41 +0200 Subject: [PATCH] Fix missing tag role permission **Why?** When deploying ADF as a fresh installation, it requires `iam:TagRole` permission to create the cross-account management role. This was not required in the past, so existing IAM roles were not impacted. **What?** Added the required permission and limited it to the two roles it needs to create. Additionally, removal of `iam:PassRole` as that was not used anywhere in the management account. --- src/template.yml | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/src/template.yml b/src/template.yml index bbd852a90..083f0e4e0 100644 --- a/src/template.yml +++ b/src/template.yml @@ -923,15 +923,20 @@ Resources: - "organizations:DescribeOrganizationalUnit" - "organizations:ListParents" - "cloudformation:*" - - "iam:GetRole" - - "iam:PassRole" - - "iam:CreateRole" - - "iam:PutRolePolicy" - "organizations:DescribeOrganization" - "organizations:DescribeAccount" - "ssm:*" - "states:StartExecution" Resource: "*" + - Effect: "Allow" + Action: + - "iam:CreateRole" + - "iam:GetRole" + - "iam:PutRolePolicy" + - "iam:TagRole" + Resource: + - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${CrossAccountAccessRoleName}" + - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${CrossAccountAccessRoleName}-readonly" - Effect: "Allow" Action: "s3:ListBucket" Resource: !GetAtt BootstrapTemplatesBucket.Arn