Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(aws-kms/aws-sqs): Invalid Alias ARN generated for SQS encryptionMasterKey #27733

Closed
prashantgohel1 opened this issue Oct 27, 2023 · 4 comments
Closed

(aws-kms/aws-sqs): Invalid Alias ARN generated for SQS encryptionMasterKey #27733

prashantgohel1 opened this issue Oct 27, 2023 · 4 comments
Labels
@aws-cdk/aws-sqs Related to Amazon Simple Queue Service bug This issue is a bug. needs-triage This issue or PR still needs to be triaged.

Comments

@prashantgohel1
Copy link

prashantgohel1 commented Oct 27, 2023
edited
Loading

Describe the bug

When using Alias.fromAliasName('name') static method to refer to the KMS key generated outside of the stack, the returned key ARN is not compliant with SQS encryption settings.

Expected Behavior

{
   "Type": "AWS::SQS::Queue",
   "Properties": {
    "KmsMasterKeyId": "arn:aws:kms:us-west-2:618350728704:alias/aliasName",
    "QueueName": "testQueue",
...
   },
  },

Keyword alias is missing in generated ARN.

Current Behavior

Invalid alias ARN is generated from https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-kms/lib/alias.ts#L63-L67

Reproduction Steps

CDK constructs:

const alias = Alias.fromAliasName(this, `id`, `aliasName`);
const queueProperties: QueueProps = {
      queueName: `testQueue`,
      encryption: QueueEncryption.KMS,
      encryptionMasterKey: alias,
    };
    this.queue = new Queue(this, `id2`, queueProperties);

Generated CFN template as :

{
   "Type": "AWS::SQS::Queue",
   "Properties": {
    "KmsMasterKeyId": {
     "Fn::Join": [
      "",
      [
       "arn:",
       {
        "Ref": "AWS::Partition"
       },
       ":kms:us-west-2:${ACCOUNT_ID}:aliasName"
      ]
     ]
    },
    "QueueName": "testQueue",
...
   },
  },

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

v2.103.1

Framework Version

No response

Node.js Version

18

OS

macOS

Language

TypeScript

Language Version

TypeScript 5.0.3

Other information

No response
@prashantgohel1 prashantgohel1 added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Oct 27, 2023
@github-actions github-actions bot added the @aws-cdk/aws-sqs Related to Amazon Simple Queue Service label Oct 27, 2023
@msambol
Copy link
Contributor

msambol commented Oct 28, 2023

I'll take this.

@msambol
Copy link
Contributor

msambol commented Oct 28, 2023

@prashantgohel1 If you list aliases with the CLI, you'll see alias/ is part of AliasName.

{
    "Aliases": [
        {
            "AliasName": "alias/aws/acm",
...

The docs here show examples using the full alias name. Make sure you have alias/ prefixed when using Alias.fromAliasName(). The Console hides alias/ which is maybe where the confusion is.

@prashantgohel1
Copy link
Author

That makes sense. Thanks! Just for visibility the code above needs to be changed as

const alias = Alias.fromAliasName(this, `id`, `alias/aliasName`);

@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

@github-actions github-actions bot mentioned this issue Nov 1, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-sqs Related to Amazon Simple Queue Service bug This issue is a bug. needs-triage This issue or PR still needs to be triaged.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@msambol @prashantgohel1