Fix missing tag role permission

**Why?** When deploying ADF as a fresh installation, it requires `iam:TagRole` permission to create the cross-account management role. This was not required in the past, so existing IAM roles were not impacted. **What?** Added the required permission and limited it to the two roles it needs to create. Additionally, removal of `iam:PassRole` as that was not used anywhere in the management account.
awslabs · May 27, 2024 · d6d197e · d6d197e
1 parent 4a4d7c9
commit d6d197e
Showing 1 changed file with 9 additions and 4 deletions.
diff --git a/src/template.yml b/src/template.yml
@@ -923,15 +923,20 @@ Resources:
               - "organizations:DescribeOrganizationalUnit"
               - "organizations:ListParents"
               - "cloudformation:*"
-              - "iam:GetRole"
-              - "iam:PassRole"
-              - "iam:CreateRole"
-              - "iam:PutRolePolicy"
               - "organizations:DescribeOrganization"
               - "organizations:DescribeAccount"
               - "ssm:*"
               - "states:StartExecution"
             Resource: "*"
+          - Effect: "Allow"
+            Action:
+              - "iam:CreateRole"
+              - "iam:GetRole"
+              - "iam:PutRolePolicy"
+              - "iam:TagRole"
+            Resource:
+              - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${CrossAccountAccessRoleName}"
+              - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${CrossAccountAccessRoleName}-readonly"
           - Effect: "Allow"
             Action: "s3:ListBucket"
             Resource: !GetAtt BootstrapTemplatesBucket.Arn