Skip to content

Commit 690ea6d

Browse files
ELI-545 - corrected the permission boundary location
1 parent 54711fc commit 690ea6d

1 file changed

Lines changed: 21 additions & 20 deletions

File tree

infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf

Lines changed: 21 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -297,6 +297,27 @@ data "aws_iam_policy_document" "permissions_boundary" {
297297
actions = ["iam:*"]
298298
resources = ["arn:aws:iam::*:role/${upper(var.project_name)}-*"]
299299
}
300+
301+
# Specific management for Tableau Athena Service Account
302+
statement {
303+
sid = "AllowTableauServiceAccountManagement"
304+
effect = "Allow"
305+
actions = [
306+
"iam:CreateAccessKey",
307+
"iam:DeleteAccessKey",
308+
"iam:UpdateAccessKey",
309+
"iam:PutUserPolicy",
310+
"iam:DeleteUserPolicy",
311+
"iam:GetUserPolicy",
312+
"iam:TagUser",
313+
"iam:UntagUser",
314+
"iam:GetUser"
315+
]
316+
resources = [
317+
"arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/tableau-athena-service-account"
318+
]
319+
}
320+
300321
}
301322

302323
# Permissions Boundary policy
@@ -366,26 +387,6 @@ data "aws_iam_policy_document" "iam_bootstrap_permissions_boundary" {
366387
]
367388
}
368389

369-
# Specific management for Tableau Athena Service Account
370-
statement {
371-
sid = "AllowTableauServiceAccountManagement"
372-
effect = "Allow"
373-
actions = [
374-
"iam:CreateAccessKey",
375-
"iam:DeleteAccessKey",
376-
"iam:UpdateAccessKey",
377-
"iam:PutUserPolicy",
378-
"iam:DeleteUserPolicy",
379-
"iam:GetUserPolicy",
380-
"iam:TagUser",
381-
"iam:UntagUser",
382-
"iam:GetUser"
383-
]
384-
resources = [
385-
"arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/tableau-athena-service-account"
386-
]
387-
}
388-
389390
# Allow read-only IAM access for Terraform plan/state discovery
390391
statement {
391392
sid = "AllowIamReadAccess"

0 commit comments

Comments
 (0)