update permissions recommeded for audit logs streaming (#9609)

cperez08 · web-flow · commit a8b37be5b939 · 2025-09-18T14:15:50.000-07:00
diff --git a/docs/guides/modules/security/pages/audit-logs.adoc b/docs/guides/modules/security/pages/audit-logs.adoc
@@ -116,7 +116,8 @@ The complete template for the trust relationship is the following:
             "Action": "sts:AssumeRoleWithWebIdentity",
             "Condition": {
                 "StringEquals": {
-                    "oidc.circleci.com/org/<org-id>:aud": "<org-id>"
+                    "oidc.circleci.com/org/<org-id>:aud": "<org-id>",
+                    "oidc.circleci.com/org/<org-id>:sub": "org/<org-id>/file-streaming/audit-logs"
                 }
             }
         }
@@ -141,7 +142,6 @@ The minimum required access policy for the role is as follows:
             "Effect": "Allow",
             "Action": [
                 "s3:PutObject",
-                "s3:GetObject",
                 "s3:ListBucket"
             ],
             "Resource": [

Original file line number	Diff line number	Diff line change
`@@ -116,7 +116,8 @@ The complete template for the trust relationship is the following:`
`116`	`116`	`"Action": "sts:AssumeRoleWithWebIdentity",`
`117`	`117`	`"Condition": {`
`118`	`118`	`"StringEquals": {`
`119`		`- "oidc.circleci.com/org/<org-id>:aud": "<org-id>"`
	`119`	`+ "oidc.circleci.com/org/<org-id>:aud": "<org-id>",`
	`120`	`+ "oidc.circleci.com/org/<org-id>:sub": "org/<org-id>/file-streaming/audit-logs"`
`120`	`121`	`}`
`121`	`122`	`}`
`122`	`123`	`}`
`@@ -141,7 +142,6 @@ The minimum required access policy for the role is as follows:`
`141`	`142`	`"Effect": "Allow",`
`142`	`143`	`"Action": [`
`143`	`144`	`"s3:PutObject",`
`144`		`- "s3:GetObject",`
`145`	`145`	`"s3:ListBucket"`
`146`	`146`	`],`
`147`	`147`	`"Resource": [`