Deployed 5fb87582 to main with MkDocs 1.4.3 and mike 1.1.2

main/provider/aws-parameter-store/index.html

@@ -2345,16 +2345,15 @@ is available in different tiers, <a href="https://aws.amazon.com/systems-manager
 Please estimate your costs before using ESO. Cost depends on the RefreshInterval of your ExternalSecrets.</p>
 </div>
 <h3 id="iam-policy">IAM Policy</h3>
-<p>Create a IAM Policy to pin down access to secrets matching <code>dev-*</code>, for further information see <a href="https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-paramstore-access.html">AWS Documentation</a>:</p>
+<p>The example policy below shows the minimum required permissions for fetching SSM parameters. This policy permits pinning down access to secrets with a path matching <code>dev-*</code>. Other operations may require additional permission. For example, finding parameters based on tags will also require <code>ssm:DescribeParameters</code> and <code>tag:GetResources</code> permission with <code>"Resource": "*"</code>. Generally, the specific permission required will be logged as an error if an operation fails.</p>
+<p>For further information see <a href="https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-paramstore-access.html">AWS Documentation</a>.</p>
 <div class="highlight"><pre><span></span><code><span class="p">{</span>
 <span class="w">  </span><span class="nt">&quot;Version&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;2012-10-17&quot;</span><span class="p">,</span>
 <span class="w">  </span><span class="nt">&quot;Statement&quot;</span><span class="p">:</span><span class="w"> </span><span class="p">[</span>
 <span class="w">    </span><span class="p">{</span>
 <span class="w">      </span><span class="nt">&quot;Effect&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;Allow&quot;</span><span class="p">,</span>
 <span class="w">      </span><span class="nt">&quot;Action&quot;</span><span class="p">:</span><span class="w"> </span><span class="p">[</span>
-<span class="w">        </span><span class="s2">&quot;ssm:GetParameter&quot;</span><span class="p">,</span>
-<span class="w">        </span><span class="s2">&quot;ssm:ListTagsForResource&quot;</span><span class="p">,</span>
-<span class="w">        </span><span class="s2">&quot;ssm:DescribeParameters&quot;</span>
+<span class="w">        </span><span class="s2">&quot;ssm:GetParameter*&quot;</span><span class="p">,</span>
 <span class="w">      </span><span class="p">],</span>
 <span class="w">      </span><span class="nt">&quot;Resource&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;arn:aws:ssm:us-east-2:1234567889911:parameter/dev-*&quot;</span>
 <span class="w">    </span><span class="p">}</span>
@@ -2393,13 +2392,13 @@ Please estimate your costs before using ESO. Cost depends on the RefreshInterval
 <span class="w">  </span><span class="c1"># metadataPolicy to fetch all the tags in JSON format</span>
 <span class="w">  </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">tags</span>
 <span class="w">    </span><span class="nt">remoteRef</span><span class="p">:</span>
-<span class="w">      </span><span class="nt">metadataPolicy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Fetch</span><span class="w"> </span>
+<span class="w">      </span><span class="nt">metadataPolicy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Fetch</span>
 <span class="w">      </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">database-credentials</span>
 
 <span class="w">  </span><span class="c1"># metadataPolicy to fetch a specific tag (dev) from the source secret</span>
 <span class="w">  </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">developer</span>
 <span class="w">    </span><span class="nt">remoteRef</span><span class="p">:</span>
-<span class="w">      </span><span class="nt">metadataPolicy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Fetch</span><span class="w"> </span>
+<span class="w">      </span><span class="nt">metadataPolicy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Fetch</span>
 <span class="w">      </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">database-credentials</span>
 <span class="w">      </span><span class="nt">property</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">dev</span>
 </code></pre></div></p>