Skip to content

Commit 83381ef

Browse files
shemaushemau
authored
fix: add missing Authorization Delegator role to s2s auth policy (#664)
1 parent 2b5f5e0 commit 83381ef

File tree

3 files changed

+5
-5
lines changed

3 files changed

+5
-5
lines changed

.secrets.baseline

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@
33
"files": "go.sum|^.secrets.baseline$",
44
"lines": null
55
},
6-
"generated_at": "2025-10-04T04:28:29Z",
6+
"generated_at": "2025-10-05T04:28:29Z",
77
"plugins_used": [
88
{
99
"name": "AWSKeyDetector"

main.tf

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -67,7 +67,7 @@ resource "ibm_iam_authorization_policy" "kms_policy" {
6767
count = local.create_kms_auth_policy
6868
source_service_name = "databases-for-mongodb"
6969
source_resource_group_id = var.resource_group_id
70-
roles = ["Reader"]
70+
roles = ["Reader", "Authorization Delegator"] # Authorization Delegator role required for backup encryption key
7171
description = "Allow all MongoDB instances in the resource group ${var.resource_group_id} to read the ${local.kms_service} key ${local.kms_key_id} from the instance GUID ${local.kms_key_instance_guid}"
7272
resource_attributes {
7373
name = "serviceName"
@@ -112,7 +112,7 @@ resource "ibm_iam_authorization_policy" "backup_kms_policy" {
112112
count = local.create_backup_kms_auth_policy
113113
source_service_name = "databases-for-mongodb"
114114
source_resource_group_id = var.resource_group_id
115-
roles = ["Reader"]
115+
roles = ["Reader", "Authorization Delegator"] # Authorization Delegator role required for backup encryption key
116116
description = "Allow all MongoDB instances in the Resource Group ${var.resource_group_id} to read the ${local.backup_kms_service} key ${local.backup_kms_key_id} from the instance GUID ${local.backup_kms_key_instance_guid}"
117117
resource_attributes {
118118
name = "serviceName"

solutions/fully-configurable/main.tf

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -120,7 +120,7 @@ resource "ibm_iam_authorization_policy" "kms_policy" {
120120
source_service_account = local.account_id
121121
source_service_name = "databases-for-mongodb"
122122
source_resource_group_id = module.resource_group.resource_group_id
123-
roles = ["Reader"]
123+
roles = ["Reader", "Authorization Delegator"] # Authorization Delegator role required for backup encryption key
124124
description = "Allow all MongoDB instances in the resource group ${module.resource_group.resource_group_id} in the account ${local.account_id} to read the ${local.kms_service} key ${local.kms_key_id} from the instance GUID ${local.kms_instance_guid}"
125125
resource_attributes {
126126
name = "serviceName"
@@ -168,7 +168,7 @@ resource "ibm_iam_authorization_policy" "backup_kms_policy" {
168168
source_service_account = local.account_id
169169
source_service_name = "databases-for-mongodb"
170170
source_resource_group_id = module.resource_group.resource_group_id
171-
roles = ["Reader"]
171+
roles = ["Reader", "Authorization Delegator"] # Authorization Delegator role required for backup encryption key
172172
description = "Allow all MongoDB instances in the resource group ${module.resource_group.resource_group_id} in the account ${local.account_id} to read the ${local.backup_kms_service} key ${local.backup_kms_key_id} from the instance GUID ${local.backup_kms_instance_guid}"
173173
resource_attributes {
174174
name = "serviceName"

0 commit comments

Comments
 (0)