Skip to content

Commit 2bea7bd

Browse files
authored
fix: add kms:Encrypt permission, as needed since f25a86b (#1008)
## Description Since the [addition of KeyId](f25a86b#diff-dc46acf24afd63ef8c556b77c126ccc6e578bc87e3aa09a931f33d9bf2532fbbR18) to the SSM parameter used to store the registration token, the replacement of the parameter following a failed token verification fails. This is due to a missing Encrypt permission on the customer managed KMS key. The initial put-parameter presumably passes due to a shortcut on the encryption when the value is null, but the [subsequent overwrite attempt](https://github.com/cattle-ops/terraform-aws-gitlab-runner/blob/5100efd3445c3f06e5089d970da5a3a0341624eb/template/gitlab-runner.tftpl#L53) fails. ## Migrations required NO ## Verification Manual addition of the kms:Encrypt permission has been proved to resolve the runner start-up failure
1 parent 5100efd commit 2bea7bd

File tree

1 file changed

+1
-0
lines changed

1 file changed

+1
-0
lines changed

policies/instance-kms-policy.json

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,7 @@
33
"Statement": [
44
{
55
"Action": [
6+
"kms:Encrypt",
67
"kms:Decrypt",
78
"kms:GenerateDataKey"
89
],

0 commit comments

Comments
 (0)