Add missing KMS permission policy

keithduncan · keithduncan · commit b6c448dbaf88 · 2021-06-21T11:26:06.000+10:00
diff --git a/templates/aws-stack.yml b/templates/aws-stack.yml
@@ -677,6 +677,17 @@ Resources:
                  - !Ref 'AWS::NoValue'
           - !Ref 'AWS::NoValue'
       Policies:
+        - !If
+          - UseCustomerManagedKeyForParameterStore
+          - PolicyName: DecryptAgentToken
+            PolicyDocument:
+              Version: '2012-10-17'
+              Statement:
+                - Effect: Allow
+                  Action: kms:Decrypt
+                  Resource:
+                    !Sub arn:aws:kms:${AWS::Region}:${AWS::AccountId}:key/${BuildkiteAgentTokenParameterStoreKMSKey}
+          - !Ref 'AWS:NoValue'
         - PolicyName: ReadAgentToken
           PolicyDocument:
             Version: '2012-10-17'
