ELI-545 - service account creating access to github actions

Karthikeyannhs · Karthikeyannhs · commit 91b8ee69c999 · 2026-03-13T16:42:46.000Z
diff --git a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf
@@ -611,6 +611,25 @@ resource "aws_iam_policy" "iam_management" {
           "arn:aws:iam::*:role/secret_rotation_lambda_role",
           "arn:aws:iam::*:role/secret_rotation_workflow_role"
         ]
+      },
+      # Scoped User management for Tableau
+      {
+        Effect = "Allow",
+        Action = [
+          "iam:CreateUser",
+          "iam:DeleteUser",
+          "iam:UpdateUser",
+          "iam:TagUser",
+          "iam:CreateAccessKey",
+          "iam:DeleteAccessKey",
+          "iam:UpdateAccessKey",
+          "iam:PutUserPolicy",
+          "iam:DeleteUserPolicy",
+          "iam:GetUser"
+        ],
+        Resource = [
+          "arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/tableau-athena-service-account"
+        ]
       }
     ]
   })
diff --git a/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf b/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf
@@ -366,6 +366,26 @@ data "aws_iam_policy_document" "iam_bootstrap_permissions_boundary" {
     ]
   }
 
+  # Specific management for Tableau Athena Service Account
+  statement {
+    sid    = "AllowTableauServiceAccountManagement"
+    effect = "Allow"
+    actions = [
+      "iam:CreateAccessKey",
+      "iam:DeleteAccessKey",
+      "iam:UpdateAccessKey",
+      "iam:PutUserPolicy",
+      "iam:DeleteUserPolicy",
+      "iam:GetUserPolicy",
+      "iam:TagUser",
+      "iam:UntagUser",
+      "iam:GetUser"
+    ]
+    resources = [
+      "arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/tableau-athena-service-account"
+    ]
+  }
+
   # Allow read-only IAM access for Terraform plan/state discovery
   statement {
     sid    = "AllowIamReadAccess"
