fix: Allow staging users role assumption only by main principal

Allowing the S3 Batch Operations service was not necessary after all, and caused non-prod deployment to hit a known CDK limitation <aws/aws-cdk#1578>.
linz · Jun 22, 2021 · ed6b6b4 · ed6b6b4
1 parent c9541c4
commit ed6b6b4
Showing 1 changed file with 1 addition and 3 deletions.
diff --git a/infrastructure/constructs/processing.py b/infrastructure/constructs/processing.py
@@ -387,9 +387,7 @@ def __init__(
         staging_users_role = aws_iam.Role(
             self,
             "staging-users-role",
-            assumed_by=aws_iam.CompositePrincipal(  # type: ignore[arg-type]
-                principal, aws_iam.ServicePrincipal("batchoperations.s3.amazonaws.com")
-            ),
+            assumed_by=principal,  # type: ignore[arg-type]
             max_session_duration=MAX_SESSION_DURATION,
             role_name=ResourceName.STAGING_USERS_ROLE_NAME.value,
         )