ecr.tf: restore Vault account access to ecr_pushpull_role
At some point it seems like the sts:AssumeRole permission was
dropped for the Vault ARN and limited to only ec2 instances.
This adds the Vault ARN back in as a principal which should
restore their access.
Change-Id: I993bd05b8bd8f441444f50890e514ea74ccbf911
diff --git a/ecr.tf b/ecr.tf
index a395bd0..0c15ffb 100644
--- a/ecr.tf
+++ b/ecr.tf
@@ -14,9 +14,11 @@
{
"Effect": "Allow",
"Principal": {
- "AWS": [ "987685672616",
- "arn:aws:iam::487149096843:user/vault"
- ]
+ "AWS": [
+ "987685672616",
+ "arn:aws:iam::487149096843:user/vault"
+ ],
+ "Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}