chore(cloudfront-origins): grant key permissions to distribution #31188
Conversation
There was a problem hiding this comment.
The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.
A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.
gracelu0
changed the title
aws-cdk-automation
dismissed
their stale review
✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.
| scope, | ||
| resolver: new DefaultTokenResolver(new StringConcat()), | ||
| })); | ||
| } |
There was a problem hiding this comment.
Do you have links to examples of this trick when the code is doing JSON.stringify(Tokenization.resolve ... ? Trying to understand what it does. Does it resolve to the logical ID?
There was a problem hiding this comment.
example of usage in iam module:
aws-cdk/packages/aws-cdk-lib/aws-iam/lib/private/util.ts
Lines 24 to 31 in af50620
Output from when I tested it locally is like this:
[Info at /MigrationOacStack/MyDistribution/Origin2] Granting OAC permissions to access KMS key for S3 bucket origin {"Ref":"MyBucketF68F3FF0"} may cause a circular dependency error when this stack deploys.
The key policy references the distribution's id, the distribution references the bucket, and the bucket references the key.
See the 'Using OAC for a SSE-KMS encrypted S3 origin' section in the module README for more details.
So yes it resolves to the logical ID. I thought it would be helpful to include the specific resource involved in the info message, but there might be a cleaner way to do this
There was a problem hiding this comment.
I see. Thank you. Looks good to me.
|
Comments on closed issues and PRs are hard for our team to see. |
Changes:
distributionIdoptional