Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: MalformedPolicyDocument error without kms or ssm arns #550

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

fix: MalformedPolicyDocument error without kms or ssm arns #550

wants to merge 4 commits into from
+37 −9

Conversation

brycelowe
Copy link

Description

I'd like the option to remove access to KMS and SSM permissions on my IRSA roles while still providing the ability to use this module with the default encryption key provided by AWS. When I attempt to provide an empty list, the IAM policy is invalid because a resource definition is required.

Error: updating IAM Policy (arn:aws:iam:::policy/role-External_Secrets_Policy-20190815225516998100000001): MalformedPolicyDocument: Policy statement must contain resources.
	status code: 400, request id: <id>

Motivation and Context

Most of the secrets in my environment have been created with the default encryption key, so they don't need any special access to KMS or SSM. When attempting to remove this permission I ran into an error applying the configuration because the policy document was malformed.

Breaking Changes

No, this is not a breaking change as the existing default remains intact.

How Has This Been Tested?

  • I have updated at least one of the examples/* to demonstrate and validate my change(s)
  • I have tested and validated these changes using one or more of the provided examples/* projects
  • I have executed pre-commit run -a on my pull request

Sorry, something went wrong.

@brycelowe brycelowe changed the title fix: resource error without kms or ssm arns fix: Resource error without kms or ssm arns Feb 10, 2025
@brycelowe brycelowe changed the title fix: Resource error without kms or ssm arns fix: MalformedPolicyDocument error without kms or ssm arns Feb 10, 2025
@brycelowe brycelowe marked this pull request as ready for review February 10, 2025 21:57
@github-actions GitHub Actions
Copy link

This PR has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this PR will be closed in 10 days

@github-actions github-actions bot added the stale label Mar 13, 2025
@brycelowe
fix: allow empty kms and ssm arns
04f0d47 
I'd like the option to remove access to KMS and SSM permissions on my IRSA roles while still providing the ability to use this module with the default encryption key provided by AWS.  When I attempt to provide an empty list, the IAM policy is invalid because a resource definition is required.
@brycelowe
fix: linters
08141c7
@brycelowe
fix: include examples
c454025
@brycelowe
fix: pre-commit
549ea31
@brycelowe brycelowe force-pushed the bjl/fix/resource-error-without-kms-arns branch from be40269 to 549ea31 Compare March 13, 2025 00:22
@github-actions github-actions bot removed the stale label Mar 14, 2025
@brycelowe
Copy link
Author

Proposed fix for #557

@brycelowe brycelowe mentioned this pull request Mar 16, 2025
Open
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@brycelowe