BFD-3819: GitHub Actions IAM Role lacks permissions to manage IAM pol…

…icies and KMS key policies (#2522)
CMSgov · Jan 14, 2025 · 938d25e · 938d25e
1 parent 57bdb06
commit 938d25e
Showing 1 changed file with 10 additions and 1 deletion.
diff --git a/ops/terraform/env/mgmt/github-actions-iam.tf b/ops/terraform/env/mgmt/github-actions-iam.tf
@@ -403,6 +403,14 @@ resource "aws_iam_policy" "github_actions_ci_ops" {
           ]
           Resource = "*"
         },
+        {
+          Sid    = "AllowPolicyManagementOfAllKeys"
+          Effect = "Allow"
+          Action = [
+            "kms:PutKeyPolicy",
+          ]
+          Resource = "*"
+        },
         {
           Sid    = "AllowSNS"
           Effect = "Allow"
@@ -427,7 +435,8 @@ resource "aws_iam_policy" "github_actions_ci_ops" {
           Action = [
             "iam:Get*",
             "iam:List*",
-            "iam:DeletePolicyVersion"
+            "iam:DeletePolicyVersion",
+            "iam:CreatePolicyVersion"
           ]
           Resource = "*"
         },