Skip to content

Commit fbaef92

Browse files
ocofaighocofaigh
authored
fix: add missing Authorization Delegator role to s2s auth policy (#554)
1 parent 2597480 commit fbaef92

File tree

2 files changed

+4
-4
lines changed

2 files changed

+4
-4
lines changed

main.tf

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -67,7 +67,7 @@ resource "ibm_iam_authorization_policy" "kms_policy" {
6767
count = local.create_kms_auth_policy
6868
source_service_name = "databases-for-elasticsearch"
6969
source_resource_group_id = var.resource_group_id
70-
roles = ["Reader"]
70+
roles = ["Reader", "Authorization Delegator"] # Authorization Delegator role required for backup encryption key
7171
description = "Allow all Elasticsearch instances in the resource group ${var.resource_group_id} to read the ${local.kms_service} key ${local.kms_key_id} from the instance GUID ${local.kms_key_instance_guid}"
7272
resource_attributes {
7373
name = "serviceName"
@@ -112,7 +112,7 @@ resource "ibm_iam_authorization_policy" "backup_kms_policy" {
112112
count = local.create_backup_kms_auth_policy
113113
source_service_name = "databases-for-elasticsearch"
114114
source_resource_group_id = var.resource_group_id
115-
roles = ["Reader"]
115+
roles = ["Reader", "Authorization Delegator"] # Authorization Delegator role required for backup encryption key
116116
description = "Allow all Elasticsearch instances in the Resource Group ${var.resource_group_id} to read the ${local.backup_kms_service} key ${local.backup_kms_key_id} from the instance GUID ${local.backup_kms_key_instance_guid}"
117117
resource_attributes {
118118
name = "serviceName"

solutions/fully-configurable/main.tf

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -120,7 +120,7 @@ resource "ibm_iam_authorization_policy" "kms_policy" {
120120
source_service_account = local.account_id
121121
source_service_name = "databases-for-elasticsearch"
122122
source_resource_group_id = module.resource_group.resource_group_id
123-
roles = ["Reader"]
123+
roles = ["Reader", "Authorization Delegator"] # Authorization Delegator role required for backup encryption key
124124
description = "Allow all Elasticsearch instances in the resource group ${module.resource_group.resource_group_id} in the account ${local.account_id} to read the ${local.kms_service} key ${local.kms_key_id} from the instance GUID ${local.kms_instance_guid}"
125125
resource_attributes {
126126
name = "serviceName"
@@ -168,7 +168,7 @@ resource "ibm_iam_authorization_policy" "backup_kms_policy" {
168168
source_service_account = local.account_id
169169
source_service_name = "databases-for-elasticsearch"
170170
source_resource_group_id = module.resource_group.resource_group_id
171-
roles = ["Reader"]
171+
roles = ["Reader", "Authorization Delegator"] # Authorization Delegator role required for backup encryption key
172172
description = "Allow all Elasticsearch instances in the resource group ${module.resource_group.resource_group_id} in the account ${local.account_id} to read the ${local.backup_kms_service} key ${local.backup_kms_key_id} from the instance GUID ${local.backup_kms_instance_guid}"
173173
resource_attributes {
174174
name = "serviceName"

0 commit comments

Comments
 (0)