IT-3988: Replace inline policy by managed policy (#1282)

* Replace inline policy by managed policy * Moved comment per review
Sage-Bionetworks-IT · Nov 13, 2024 · 4232b74 · 4232b74
1 parent 0783dab
commit 4232b74
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 12 deletions.
diff --git a/org-formation/600-access/_tasks.yaml b/org-formation/600-access/_tasks.yaml
@@ -389,6 +389,7 @@ SynapseAthenaUserAccessPolicy:
       }
     PolicyName: SynapseAthenaUserAccessPolicy
 
+#   https://stackoverflow.com/questions/58125181/cloud-formation-cant-upload-template-file
 SynapseLlmDeveloperPolicy:
   Type: update-stacks
   Template: https://raw.githubusercontent.com/Sage-Bionetworks/aws-infra/v0.5.1/templates/IAM/managed-policy.yaml

diff --git a/org-formation/700-aws-sso/_tasks.yaml b/org-formation/700-aws-sso/_tasks.yaml
@@ -641,18 +641,7 @@ SsoLlmDeveloper:
     managedPolicies:
       - 'arn:aws:iam::aws:policy/AmazonBedrockFullAccess'
       - 'arn:aws:iam::aws:policy/AWSCloudFormationFullAccess'
-#   https://stackoverflow.com/questions/58125181/cloud-formation-cant-upload-template-file
-    inlinePolicy: >-
-      {
-          "Version": "2012-10-17",
-          "Statement": [
-              {
-                  "Effect": "Allow",
-                  "Action": "s3:*",
-                  "Resource": "arn:aws:s3:::cf-template*"
-              }
-          ]
-      }
+      - !Sub 'arn:aws:iam::${AWS::AccountId}:policy/SynapseLlmDeveloperPolicy'
     sessionDuration: 'PT12H'
 
 # Role for a user that can only access AWS Athena in the Synapse Dev account