Merge pull request #618 from valorl/sops-minimal-policy

sops: Use minimal, decrypt-only policy for AWS
fluxcd · Nov 5, 2021 · 1bfc097 · 1bfc097
2 parents 750a390 + cd8f036
commit 1bfc097
Showing 1 changed file with 6 additions and 3 deletions.
diff --git a/content/en/docs/guides/mozilla-sops.md b/content/en/docs/guides/mozilla-sops.md
@@ -205,10 +205,7 @@ Create an IAM Role with access to AWS KMS e.g.:
     "Statement": [
         {
             "Action": [
-                "kms:Encrypt",
                 "kms:Decrypt",
-                "kms:ReEncrypt*",
-                "kms:GenerateDataKey*",
                 "kms:DescribeKey"
             ],
             "Effect": "Allow",
@@ -218,6 +215,12 @@ Create an IAM Role with access to AWS KMS e.g.:
 }
 ```
 
+{{% alert color="info" title="Hint" %}}
+The above policy represents the minimal permissions needed for the controller
+to be able to decrypt secrets. Policies for users/clients who are meant to be encrypting and managing
+secrets will additionally require the `kms:Encrypt`, `kms:ReEncrypt*` and `kms:GenerateDataKey*` actions.
+{{% /alert %}}
+
 Bind the IAM role to the `kustomize-controller` service account:
 
 ```sh