sparse-intern-71089
02/25/2019, 6:42 PMcreamy-potato-29402
02/25/2019, 6:46 PMcreamy-potato-29402
02/25/2019, 6:47 PMbillions-lock-73409
02/25/2019, 7:23 PMconst rolePolicy = new aws.iam.RolePolicy(
'probot_task_policy',
{
role: role,
policy: JSON.stringify({
Version: '2012-10-17',
Statement: [
{
Effect: 'Allow',
Action: [
'kms:ListKeys',
'kms:ListAliases',
'kms:Describe*',
'kms:Decrypt',
],
Resource: [paramStoreKms.arn],
},
{
Effect: 'Allow',
Action: 'ssm:GetParameters',
Resource: [
`arn:aws:ssm:*:${config.require(
'accountId'
)}:parameter/secrets_probot_scanner/*`,
],
},
],
}),
},
{ parent: role }
);
billions-lock-73409
02/25/2019, 7:23 PMparamStoreKms
is defined in a different module that I’m including, but is available and exported correctlybillions-lock-73409
02/25/2019, 7:27 PMcreamy-potato-29402
02/25/2019, 8:00 PMpolicy: paramStoreKms.arn.apply(arn => JSON.stringify({ ... })
creamy-potato-29402
02/25/2019, 8:00 PMbillions-lock-73409
02/25/2019, 8:01 PMbillions-lock-73409
02/25/2019, 8:06 PMbillions-lock-73409
02/25/2019, 8:07 PMbillions-lock-73409
02/25/2019, 8:07 PMcreamy-potato-29402
02/25/2019, 8:07 PMbillions-lock-73409
02/25/2019, 8:25 PM