Assuming roles from cronjobs?

Hello the community! :slight_smile:

We have a cronjob running on Qovery. This cronjob assumes a role using the AWS SDK, to apply the least access privilege. However, when trying to assume the role, we are facing the following error:

AccessDenied: User: arn:aws:sts::[ACCOUNT_ID]:assumed-role/qovery-eks-workers-[CLUSTER]/i-[ID] is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::[ACCOUNT_ID]:role/[ROLE_NAME]

Debugging it with the AWS support, we are missing a policy on the Qovery workers role (qovery-eks-workers-[CLUSTER]):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": ["sts:AssumeRole"],
            "Resource": "*"
        }
    ]
}

Is there a way to customize the policies when creating the cluster? We’d like to Terraform this policy change to ease the deployment of new clusters, but it doesn’t seem doable as of today, or is it?

Thanks for the help! :slight_smile: