infra: allow CI bucket/lambda reads

- add s3 accelerate + lambda get/list permissions
2026-02-03 15:19:06 -08:00 · 2026-02-03 15:19:06 -08:00 · 1c2508b781
commit 1c2508b781
parent 72db2fd5de
1 changed files with 4 additions and 1 deletions
--- a/infra/opentofu/aws/main.tf
+++ b/infra/opentofu/aws/main.tf
@ -127,7 +127,8 @@ data "aws_iam_policy_document" "ami_importer" {
    sid = "BucketRead"
    actions = [
      "s3:GetBucket*",
-      "s3:GetEncryptionConfiguration"
+      "s3:GetEncryptionConfiguration",
+      "s3:GetAccelerateConfiguration"
    ]
    resources = [aws_s3_bucket.image_bucket.arn]
  }
@ -151,6 +152,8 @@ data "aws_iam_policy_document" "ami_importer" {
      "elasticfilesystem:Describe*",
      "iam:Get*",
      "iam:List*",
+      "lambda:Get*",
+      "lambda:List*",
      "dynamodb:Describe*",
      "dynamodb:ListTagsOfResource"
    ]