Thank you for reading this post, don't forget to subscribe!
необходимо было добавить 1 пользователю доступ к секретам в prod
для этого создал 1 policy:
iam -> Policies -> secret_manager_access_slackbot_prod
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
{ "Statement": [ { "Action": [ "secretsmanager:GetSecretValue", "secretsmanager:PutSecretValue", "secretsmanager:UpdateSecret", "secretsmanager:DescribeSecret", "secretsmanager:ListSecrets" ], "Effect": "Allow", "Resource": [ "arn:aws:secretsmanager:eu-west-1:ACCOUNT_ID:secret:/prod/external-secret-slackbot-prod-s10R5l" ] }, { "Action": [ "secretsmanager:ListSecrets" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" } |
так же нужен был локальный доступ к бакетам:
iam -> Policies -> public-image-front-dev-rw
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 |
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "s3:ListStorageLensConfigurations", "s3:ListAccessPointsForObjectLambda", "s3:GetAccessPoint", "s3:PutAccountPublicAccessBlock", "s3:GetAccountPublicAccessBlock", "s3:ListAllMyBuckets", "s3:ListAccessPoints", "s3:PutAccessPointPublicAccessBlock", "s3:ListJobs", "s3:PutStorageLensConfiguration", "s3:ListMultiRegionAccessPoints", "s3:CreateJob", "s3:PutObject", "s3:PutObjectAcl", "s3:PutObjectTagging", "iam:ListAccessKeys", "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": "*" }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": "s3:*", "Resource": [ "arn:aws:s3:::public-image-front/*", "arn:aws:s3:::public-image-front", "arn:aws:s3:::test-common-image-front-dev", "arn:aws:s3:::test-common-image-front-dev/*" ] } ] } |
далее аттачим пользователю эти policy