Closed benbridts closed 4 months ago
Thank you for your patience. I am pleased to inform you that this issue has been resolved in our latest release v4.0.0 just now. v4.0.0 changed the permissions used by ADF significantly. Please take a look at the release notes to learn more. I'm hereby closing this issue. Please open a new issue if you are experiencing any issues with the latest release. Or reopen if you think this needs to be addressed differently.
We already have a process to provision accounts, and are going to use a separate role dedicated to ADF for the bootstrap provisioning.
It would be great if the documentation would mention:
From a quick look at the code, it seems that some of the required permissions are:
For "generic accounts":
kms_arn
,bucket_name
anddeployment_account_id
(code)For the deployment account:
/cross_region/kms_arn/{region}
and/cross_region/s3_regional_bucket/{region}
(code)For the management account:
deployment_account_id
(code)organization_id
,master_account_id
,notification_endpoint
,notification_type
,cross_account_access_role
,deployment_account_bucket
,adf_version
, andadf_log_level
(code)It might also be possible to move some things around / work with tags so that names are more predictable, and this becomes easier to write (eg. putting all Parameters under /adf/ )