VIA-615 AJ/AS Provide appropriate permissions to get secrets in cache hydrator

ankur-jain-nhs · ankur-jain-nhs · commit 4b3382176ec9 · 2025-11-28T16:25:49.000Z
diff --git a/infrastructure/modules/deploy_app/policies/server-lambda-iam-policy.json b/infrastructure/modules/deploy_app/policies/server-lambda-iam-policy.json
@@ -1,11 +1,6 @@
 {
   "Version": "2012-10-17",
   "Statement": [
-    {
-      "Effect": "Allow",
-      "Action": ["kms:Decrypt"],
-      "Resource": "arn:aws:kms:${region}:${account_id}:alias/aws/ssm"
-    },
     {
       "Effect": "Allow",
       "Action": ["s3:ListBucket", "s3:GetObject"],
diff --git a/infrastructure/modules/deploy_lambda/policies/cache-lambda-iam-role-policy.json b/infrastructure/modules/deploy_lambda/policies/cache-lambda-iam-role-policy.json
@@ -3,14 +3,8 @@
   "Statement": [
     {
       "Effect": "Allow",
-      "Action": ["kms:Decrypt"],
-      "Resource": "arn:aws:kms:${region}:${account_id}:alias/aws/ssm"
-    },
-
-    {
-      "Effect": "Allow",
-      "Action": ["ssm:GetParameter"],
-      "Resource": "arn:aws:ssm:${region}:${account_id}:parameter/${prefix}/*"
+      "Action": ["secretsmanager:GetSecretValue"],
+      "Resource": "arn:aws:secretsmanager:${region}:${account_id}:secret:/vita/*"
     },
 
     {

Original file line number	Diff line number	Diff line change
`@@ -1,11 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"Version": "2012-10-17",`
`3`	`3`	`"Statement": [`
`4`		`- {`
`5`		`- "Effect": "Allow",`
`6`		`- "Action": ["kms:Decrypt"],`
`7`		`- "Resource": "arn:aws:kms:${region}:${account_id}:alias/aws/ssm"`
`8`		`- },`
`9`	`4`	`{`
`10`	`5`	`"Effect": "Allow",`
`11`	`6`	`"Action": ["s3:ListBucket", "s3:GetObject"],`