[IT-3831] fix GH OIDC permissions for image builder (#1325)

The image builder template can do all sorts of things, like create roles. Therefore we need to up the permission when deploying it to imagecentral.
Sage-Bionetworks-IT · Jan 21, 2025 · b27fe0e · b27fe0e
1 parent cc1a210
commit b27fe0e
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/org-formation/650-identity-providers/_tasks.yaml b/org-formation/650-identity-providers/_tasks.yaml
@@ -480,8 +480,8 @@ GithubOidcImageBuilderDeploy:
     ProviderRoleName: !Sub ${resourcePrefix}-${appName}-imagebuilder-deploy
     MaxSessionDuration: 7200
     ManagedPolicyArns:
-      - arn:aws:iam::aws:policy/AWSImageBuilderFullAccess
-      - arn:aws:iam::aws:policy/AWSCloudFormationFullAccess
+      - "arn:aws:iam::aws:policy/AdministratorAccess"
+      - "arn:aws:iam::aws:policy/AWSKeyManagementServicePowerUser"
   TemplatingContext:
     GitHubOrg: "Sage-Bionetworks-IT"
     Repositories: