Merge pull request #325 from futurice/fix-replication-role

fix permission for log replication
futurice · Aug 6, 2020 · ba32f2d · ba32f2d
2 parents 614e628 + aa1b41b
commit ba32f2d
Showing 1 changed file with 5 additions and 2 deletions.
diff --git a/infra/logging.tf b/infra/logging.tf
@@ -75,7 +75,8 @@ resource "aws_iam_policy" "replication" {
     {
       "Action": [
         "s3:GetObjectVersion",
-        "s3:GetObjectVersionAcl"
+        "s3:GetObjectVersionAcl",
+        "s3:GetObjectVersionTagging"
       ],
       "Effect": "Allow",
       "Resource": [
@@ -85,7 +86,9 @@ resource "aws_iam_policy" "replication" {
     {
       "Action": [
         "s3:ReplicateObject",
-        "s3:ReplicateDelete"
+        "s3:ReplicateDelete",
+        "s3:ReplicateTags",
+        "s3:ObjectOwnerOverrideToBucketOwner"
       ],
       "Effect": "Allow",
       "Resource": "${var.central_log_vault_arn}/*"