SSPROD-60803 - Add iam:ListAccountAliases permission for account alias retrieval

ivanbesinovic-sysdig · ivanbesinovic-sysdig · commit 3c3cf71222fd · 2025-10-06T16:43:41.000+02:00
diff --git a/modules/onboarding/main.tf b/modules/onboarding/main.tf
@@ -65,6 +65,7 @@ resource "aws_iam_role_policy" "onboarding_role_policy" {
         Action = [
           "account:Get*",
           "account:List*",
+          "iam:ListAccountAliases",
         ]
         Effect   = "Allow"
         Resource = "*"
diff --git a/modules/onboarding/organizational.tf b/modules/onboarding/organizational.tf
@@ -47,6 +47,7 @@ Resources:
                   Action:
                     - "account:Get*"
                     - "account:List*"
+                    - "iam:ListAccountAliases"
                   Resource: "*"
       ManagedPolicyArns:
         - "${local.arn_prefix}:iam::aws:policy/AWSOrganizationsReadOnlyAccess"

Original file line number	Diff line number	Diff line change
`@@ -65,6 +65,7 @@ resource "aws_iam_role_policy" "onboarding_role_policy" {`
`65`	`65`	`Action = [`
`66`	`66`	`"account:Get*",`
`67`	`67`	`"account:List*",`
	`68`	`+ "iam:ListAccountAliases",`
`68`	`69`	`]`
`69`	`70`	`Effect = "Allow"`
`70`	`71`	`Resource = "*"`