Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: MalformedPolicyDocument error without kms or ssm arns #550

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

fix: MalformedPolicyDocument error without kms or ssm arns #550

wants to merge 4 commits into from

Conversation

brycelowe
Copy link

Description

I'd like the option to remove access to KMS and SSM permissions on my IRSA roles while still providing the ability to use this module with the default encryption key provided by AWS. When I attempt to provide an empty list, the IAM policy is invalid because a resource definition is required.

Error: updating IAM Policy (arn:aws:iam:::policy/role-External_Secrets_Policy-20190815225516998100000001): MalformedPolicyDocument: Policy statement must contain resources.
	status code: 400, request id: <id>

Motivation and Context

Most of the secrets in my environment have been created with the default encryption key, so they don't need any special access to KMS or SSM. When attempting to remove this permission I ran into an error applying the configuration because the policy document was malformed.

Breaking Changes

No, this is not a breaking change as the existing default remains intact.

How Has This Been Tested?

  • I have updated at least one of the examples/* to demonstrate and validate my change(s)
  • I have tested and validated these changes using one or more of the provided examples/* projects
  • I have executed pre-commit run -a on my pull request

@brycelowe
fix: allow empty kms and ssm arns
97b9c59 
I'd like the option to remove access to KMS and SSM permissions on my IRSA roles while still providing the ability to use this module with the default encryption key provided by AWS.  When I attempt to provide an empty list, the IAM policy is invalid because a resource definition is required.
@brycelowe
fix: linters
83debd9
@brycelowe
fix: include examples
c3035d9
@brycelowe brycelowe changed the title fix: resource error without kms or ssm arns fix: Resource error without kms or ssm arns Feb 10, 2025
@brycelowe brycelowe changed the title fix: Resource error without kms or ssm arns fix: MalformedPolicyDocument error without kms or ssm arns Feb 10, 2025
@brycelowe brycelowe marked this pull request as ready for review February 10, 2025 21:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@brycelowe