fix(basti-cdk): Add required IAM permission

basti-app / basti

✨ Securely connect to RDS, Elasticache, and other AWS resources in VPCs with no idle cost

https://www.basti.app

MIT License

351 stars 18 forks source link

fix(basti-cdk): Add required IAM permission #56

Closed bobveringa closed 1 year ago

bobveringa commented 1 year ago

During more testing with the rest of my team I found that I forgot to add the permission that allows arn:aws:ssm:*:*:document/AWS-StartPortForwardingSessionToRemoteHost. This wasn't an issue for the initial roles I tested it with because they were granted this permissions by some other policy.

BohdanPetryshyn commented 1 year ago

I just noticed this when was testing basti-cdk with the test CDK app: https://github.com/BohdanPetryshyn/basti/pull/55/files#diff-b5a46dba7e3da24b7e9a6416e5dd8cc03c8ca8399d5ac09dc942d8aa71faa1fbR175

BohdanPetryshyn commented 1 year ago

But I haven't fixed it yet, just left a FIXME there. This PR definitely makes sense and has to be merged

BohdanPetryshyn commented 1 year ago

@bobveringa Could you please implement the policies the same way as described here? Just in case.

bobveringa commented 1 year ago

@BohdanPetryshyn With this PR they should be the same right?

BohdanPetryshyn commented 1 year ago

@bobveringa I can no longer see the changed files, but I remember that the SSM Document resource was added to EC2 and SSM actions while the README only adds the resource to the ssm:StartSession action