fix: add missing IAM permissions for runners from encrypted AMI (#3049)

marko-fabry · web-flow · commit e0819f616c32 · 2023-03-17T10:07:31.000+01:00
This should fix missing IAM permissions when running from encrypted AMI. See [this issue](https://github.com/philips-labs/terraform-aws-github-runner/issues/2927)
diff --git a/modules/runners/policies/lambda-scale-up.json b/modules/runners/policies/lambda-scale-up.json
@@ -63,6 +63,18 @@
                 "kms:Decrypt"
             ],
             "Resource": "${ami_kms_key_arn}"
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "kms:CreateGrant"
+            ],
+            "Resource": "${ami_kms_key_arn}",
+            "Condition": {
+                "Bool": {
+                    "aws:ViaAWSService": "true"
+                }
+            }
 %{ endif ~}
         }
     ]
diff --git a/modules/runners/pool/policies/lambda-pool.json b/modules/runners/pool/policies/lambda-pool.json
@@ -54,6 +54,18 @@
                 "kms:Decrypt"
             ],
             "Resource": "${ami_kms_key_arn}"
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "kms:CreateGrant"
+            ],
+            "Resource": "${ami_kms_key_arn}",
+            "Condition": {
+                "Bool": {
+                    "aws:ViaAWSService": "true"
+                }
+            }
 %{ endif ~}
         }
     ]
