Merge pull request #110 from OWASP/feat/s3-user

feat: add s3 user
OWASP · Nov 8, 2022 · 321ed85 · 321ed85
2 parents c305425 + 1619187
commit 321ed85
Showing 1 changed file with 48 additions and 0 deletions.
diff --git a/aws/irsa.tf b/aws/irsa.tf
@@ -118,4 +118,52 @@ data "aws_iam_policy_document" "user_policy" {
     ]
     resources = ["*"]
   }
+
+  statement {
+    sid    = "canassume"
+    effect = "Allow"
+
+    actions = [
+      "sts:AssumeRole"
+    ]
+    resources = [aws_iam_role.secret_reader.arn]
+  }
+}
+
+resource "aws_iam_role" "secret_reader" {
+  assume_role_policy = data.aws_iam_policy_document.assume_role_for_secret_reader.json
+}
+
+data "aws_iam_policy_document" "assume_role_for_secret_reader" {
+  statement {
+    principals {
+      type        = "AWS"
+      identifiers = [aws_iam_role.user_role.arn]
+    }
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+  }
+}
+
+resource "aws_iam_role_policy" "user_secret_reader" {
+  name   = "saywhatnow"
+  role   = aws_iam_role.secret_reader.id
+  policy = data.aws_iam_policy_document.user_secret_reader.json
+}
+
+data "aws_iam_policy_document" "user_secret_reader" {
+  statement {
+    sid    = "readsecrets"
+    effect = "Allow"
+
+    actions = [
+      "secretsmanager:Describe*",
+      "secretsmanager:Get*",
+      "secretsmanager:List*",
+      "ssm:DescribeParameters",
+      "ssm:GetParameter*"
+    ]
+
+    resources = ["*"]
+  }
 }