-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
(aws-s3-deployment): bucket deployment fails when toolkit stack uses Customer KMS #25100
(aws-s3-deployment): bucket deployment fails when toolkit stack uses Customer KMS #25100
Comments
Thank you for your report. Yeah I believe you will need to grant your handler role to decrypt your CMK in this case. I believe we probably can improve this user experience even better. I am leaving this issue open and welcome all community feedbacks. |
@pahud , I think we are facing the same problem and this pattern might apply to other enterprise users as well. My company uses a slightly customized version of the CDK Bootstrap utility – we hard-code const lambda = bucketDeployment.node.findChild('CustomResourceHandler') as any;
const role = lambda.role as Role;
role.addToPolicy(
new PolicyStatement({
actions: ['kms:Decrypt'],
effect: Effect.ALLOW,
resources: ['*'], I want to propose possibly adding one (or more) of the following new features to
I'd be happy to make a PR on changes that you think are acceptable. Please let me know. Thanks! |
…StagingBucket` is encrypted with customer managed KMS key (#29540) ### Issue #25100 Closes #25100. ### Reason for this change When the CDK bootstrap stack's `StagingBucket` is encrypted with a customer managed KMS key whose key policy does not include wildcard KMS permissions similar to those of the S3 managed KMS key, `BucketDeployment` fails because the Lambda's execution role doesn't get the `kms:Decrypt` permission necessary to download from the bucket. In addition, if one of the sources for `BucketDeployment` comes from the `Source.bucket` static method, and the bucket is an "out-of-app imported reference" created from `s3.Bucket.fromBucketName`, the bucket's `encryptionKey` attribute is `null` and the current code won't add the `kms:Decrypt` permission on the bucket's encryption key to the Lambda's execution role. If this bucket is additionally encrypted with a customer managed KMS key without sufficient resource-based policy, the deployment fails as well. ### Description of changes It's not easy to make the code "just work" in every situation, because there's no way to pinpoint the source bucket's encryption key ARN without using another custom resource, which is a heavy-lifting and it's hard to give this new Lambda a reasonable and minimal set of execution role permissions. Therefore, this PR resolves the issue by changing `BucketDeployment.handlerRole` from `private readonly` to `public readonly`, and adding documentations on how to handle errors resulting from "not authorized to perform: kms:Decrypt". The current code allows customizing `handlerRole` by passing in `BucketDeploymentProps.role`. This change makes the customization easier because users don't need to manually add the S3 permissions. The only code change is on the visibility of `BucketDeployment.handlerRole`. All other changes are documentations. I proposed 4 possible changes in my comment to Issue #25100, and only the first one (changing visibility) is pursued in this PR. The second one was abandoned because the CFN export `CdkBootstrap-hnb659fds-FileAssetKeyArn` is deprecated. ### Description of how you validated changes I wrote a CDK app which uses the `BucketDeployment` construct. After manually adding relevant KMS permissions to the Lambda execution role, I verified that the bucket deployment worked in the following two scenarios: - My personal account; bootstrap stack's `StagingBucket` encrypted with a custom KMS key which only has the default key policy. - GoDaddy corporate account; `StagingBucket` encrypted with a KMS key from an AWS Organization management account. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
Describe the bug
When initialising the toolkit stack with
--bootstrap-kms-key-id
the bucket deployment fails.Expected Behavior
Bucket deployment copies the ressources to the desired destination
Current Behavior
The deployment fails and the logs read:
Reproduction Steps
Bootstrap with KMS:
create a stack with a bucket deployment
Possible Solution
The
handlerRole
of the BucketDeployment construct needs to have something like this:Additional Information/Context
Bootstrap Stack is updated to the most recent version
CDK CLI Version
2.73.0
Framework Version
No response
Node.js Version
16.20.0
OS
macos 13.2.1
Language
Typescript
Language Version
4.9.5
Other information
No response
The text was updated successfully, but these errors were encountered: