fix: add missing IAM permissions for runners from encrypted AMI (#3049)

This should fix missing IAM permissions when running from encrypted AMI. See [this issue](#2927)
philips-labs · Mar 17, 2023 · e0819f6 · e0819f6
1 parent 1de73bf
commit e0819f6
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 0 deletions.
diff --git a/modules/runners/policies/lambda-scale-up.json b/modules/runners/policies/lambda-scale-up.json
@@ -63,6 +63,18 @@
                 "kms:Decrypt"
             ],
             "Resource": "${ami_kms_key_arn}"
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "kms:CreateGrant"
+            ],
+            "Resource": "${ami_kms_key_arn}",
+            "Condition": {
+                "Bool": {
+                    "aws:ViaAWSService": "true"
+                }
+            }
 %{ endif ~}
         }
     ]

diff --git a/modules/runners/pool/policies/lambda-pool.json b/modules/runners/pool/policies/lambda-pool.json
@@ -54,6 +54,18 @@
                 "kms:Decrypt"
             ],
             "Resource": "${ami_kms_key_arn}"
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "kms:CreateGrant"
+            ],
+            "Resource": "${ami_kms_key_arn}",
+            "Condition": {
+                "Bool": {
+                    "aws:ViaAWSService": "true"
+                }
+            }
 %{ endif ~}
         }
     ]