Merge pull request #6567 from zalando-incubator/okta-Administrator

Add new okta based Administrator role to KMS keys
zalando-incubator · Oct 31, 2023 · 3d6b699 · 3d6b699
2 parents c579700 + a59104b
commit 3d6b699
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/cluster/cluster.yaml b/cluster/cluster.yaml
@@ -815,6 +815,7 @@ Resources:
 {{- end }}
                   - !Sub "arn:aws:iam::${AWS::AccountId}:role/cluster-lifecycle-manager-entrypoint"
                   - !Sub "arn:aws:iam::${AWS::AccountId}:role/Shibboleth-Administrator"
+                  - !Sub "arn:aws:iam::${AWS::AccountId}:role/Administrator"
   DeploymentControllerRole:
     Type: AWS::IAM::Role
     Properties:
@@ -1992,6 +1993,7 @@ Resources:
               AWS:
                 - !Sub "arn:aws:iam::${AWS::AccountId}:role/cluster-lifecycle-manager-entrypoint"
                 - !Sub "arn:aws:iam::${AWS::AccountId}:role/Shibboleth-Administrator"
+                - !Sub "arn:aws:iam::${AWS::AccountId}:role/Administrator"
             Action:
             - "kms:*"
             - "tag:TagResources"
@@ -2027,7 +2029,9 @@ Resources:
           - Sid: "Allow Administrator to manage and use this key"
             Effect: "Allow"
             Principal:
-              AWS: !Sub "arn:aws:iam::${AWS::AccountId}:role/Shibboleth-Administrator"
+              AWS:
+              - !Sub "arn:aws:iam::${AWS::AccountId}:role/Shibboleth-Administrator"
+              - !Sub "arn:aws:iam::${AWS::AccountId}:role/Administrator"
             Action:
             - "kms:*"
             - "tag:TagResources"
@@ -2065,6 +2069,7 @@ Resources:
               AWS:
                 - !Sub "arn:aws:iam::${AWS::AccountId}:role/cluster-lifecycle-manager-entrypoint"
                 - !Sub "arn:aws:iam::${AWS::AccountId}:role/Shibboleth-Administrator"
+                - !Sub "arn:aws:iam::${AWS::AccountId}:role/Administrator"
             Action:
             - "kms:*"
             - "tag:TagResources"
@@ -2101,6 +2106,7 @@ Resources:
               AWS:
                 - !Sub "arn:aws:iam::${AWS::AccountId}:role/cluster-lifecycle-manager-entrypoint"
                 - !Sub "arn:aws:iam::${AWS::AccountId}:role/Shibboleth-Administrator"
+                - !Sub "arn:aws:iam::${AWS::AccountId}:role/Administrator"
             Action:
             - "kms:*"
             - "tag:TagResources"