From 5a5d5cf0292c9636048087a98202173ff0311443 Mon Sep 17 00:00:00 2001
From: Thomas Barizien <thomas.barizien@gmail.com>
Date: Thu, 13 Nov 2025 14:52:20 +0100
Subject: [PATCH] Create recommended-inline-policy for secret management

When only using AmazonRDSFullAccess and setting a DBInstance `spec.manageMasterUserPassword` to true, the controller would fail on DBInstanceCreate because of insufficient permissions (first to use KMS keys then to create passwords) .

This allows the controller to create and manage secrets in secrets manager.
---
 config/iam/recommended-inline-policy | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 config/iam/recommended-inline-policy

diff --git a/config/iam/recommended-inline-policy b/config/iam/recommended-inline-policy
new file mode 100644
index 00000000..901e061a
--- /dev/null
+++ b/config/iam/recommended-inline-policy
@@ -0,0 +1,27 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "SecretsManagerPermissions",
+            "Effect": "Allow",
+            "Action": [
+                "secretsmanager:CreateSecret",
+                "secretsmanager:UpdateSecret",
+                "secretsmanager:GetSecretValue",
+                "secretsmanager:DeleteSecret",
+                "secretsmanager:TagResource"
+            ],
+            "Resource": "arn:aws:secretsmanager:*:*:secret:rds!*"
+        },
+        {
+            "Sid": "KMSPermissions",
+            "Effect": "Allow",
+            "Action": [
+                "kms:Decrypt",
+                "kms:GenerateDataKey",
+                "kms:DescribeKey"
+            ],
+            "Resource": "arn:aws:kms:*:*:key/*"
+        }
+    ]
+}