Skip to content

Commit

Permalink
Add permission to use adhoc KMS key
Browse files Browse the repository at this point in the history
  • Loading branch information
U-lis committed Aug 21, 2024
1 parent 7144483 commit c630bc8
Showing 1 changed file with 8 additions and 0 deletions.
8 changes: 8 additions & 0 deletions worker/worker_cdk_stack.py
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,14 @@ def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
resources=[f"arn:aws:kms:{config.region_name}:{config.account_id}:key/{kms_key_id}"]
)
)
resp = ssm.get_parameter(Name=f"{config.stage}_9c_IAP_ADHOC_KMS_KEY_ID", WithDecryption=True)
kms_key_id = resp["Parameter"]["Value"]
role.add_to_policy(
_iam.PolicyStatement(
actions=["kms:GetPublicKey", "kms:Sign"],
resources=[f"arn:aws:kms:{config.region_name}:{config.account_id}:key/{kms_key_id}"]
)
)
role.add_to_policy(
_iam.PolicyStatement(
actions=["ssm:GetParameter"],
Expand Down

0 comments on commit c630bc8

Please sign in to comment.