Policy Attachment

The role created by infra/identity/main.tf has no permissions until policies are attached.

Attach Policy in Terraform

Add to infra/identity/main.tf:

resource "aws_iam_role_policy_attachment" "workflow_access" {
  role       = module.github_oidc_role.name
  policy_arn = "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"
}

Apply:

terraform -chdir=infra/identity plan
terraform -chdir=infra/identity apply

Verify

Get role name:

terraform -chdir=infra/identity output role_name

List attached policies:

aws iam list-attached-role-policies --role-name <role_name>

Principle

Attach only permissions required by the workflow.