add missing kms permissions related to s3 (#8)

kldavis4 · web-flow · commit a19f9c86010a · 2021-07-21T19:08:47.000-04:00
diff --git a/aws/terraform/modules/metaflow/iam.tf b/aws/terraform/modules/metaflow/iam.tf
@@ -61,14 +61,10 @@ data "aws_iam_policy_document" "s3_kms" {
   statement {
     effect = "Allow"
 
-    # TODO - reduce to Encrypt, Decrypt?
     actions = [
       "kms:Decrypt",
       "kms:Encrypt",
-      # "kms:ReEncryptTo",
-      # "kms:ReEncryptFrom",
-      # "kms:DescribeKey",
-      # "kms:GenerateDataKey"
+      "kms:GenerateDataKey"
     ]
 
     resources = [
@@ -224,6 +220,12 @@ resource "aws_iam_role_policy" "grant_custom_s3_batch" {
   policy = data.aws_iam_policy_document.custom_s3_batch.json
 }
 
+resource "aws_iam_role_policy" "grant_s3_kms" {
+  name   = "s3_kms"
+  role   = aws_iam_role.batch_s3_task_role.name
+  policy = data.aws_iam_policy_document.s3_kms.json
+}
+
 resource "aws_iam_role_policy" "grant_deny_presigned_batch" {
   name   = "deny_presigned"
   role   = aws_iam_role.batch_s3_task_role.name
diff --git a/aws/terraform/modules/metaflow/modules/metadata-service/iam.tf b/aws/terraform/modules/metaflow/modules/metadata-service/iam.tf
@@ -31,6 +31,7 @@ data "aws_iam_policy_document" "s3_kms" {
     actions = [
       "kms:Decrypt",
       "kms:Encrypt",
+      "kms:GenerateDataKey"
     ]
 
     resources = [

Original file line number	Diff line number	Diff line change
`@@ -31,6 +31,7 @@ data "aws_iam_policy_document" "s3_kms" {`
`31`	`31`	`actions = [`
`32`	`32`	`"kms:Decrypt",`
`33`	`33`	`"kms:Encrypt",`
	`34`	`+ "kms:GenerateDataKey"`
`34`	`35`	`]`
`35`	`36`
`36`	`37`	`resources = [`