Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: DeploymentFrameworkRegionalKMSKey "Allow use of the key" missing permissions for cross-account #756

Open
1 task
schoemme opened this issue Aug 29, 2024 · 0 comments
Open
1 task

[Bug]: DeploymentFrameworkRegionalKMSKey "Allow use of the key" missing permissions for cross-account #756

schoemme opened this issue Aug 29, 2024 · 0 comments
Labels
bug Something isn't working

Comments

@schoemme
Copy link

schoemme commented Aug 29, 2024
edited
Loading

Is there an existing issue for this?

  • I have searched the existing issues

Describe the bug

Cross-account pipeline deploy actions fail with an error due to missing KMS key resource-based policy permissions for non-admin principals.

Expected Behavior

Cross-region + cross-account deployment actions succeed.

Current Behavior

Cross-account pipeline deploy actions fail with error:

Replication of artifact '<ARTIFACT>' failed: Failed replicating artifact from <BUCKET_A> in <REGION_A> to <BUCKET_B> in <REGION_B>: Check source and destination artifact buckets exist and <PIPELINE_SERVICE_ROLE> has permission to access it.

Steps To Reproduce

No response

Possible Solution

After troubleshooting, narrowed down issue to the removal of the following permissions from DeploymentFrameworkRegionalKMSKey's "Allow use of the key" statement:

              - kms:Encrypt
              - kms:GenerateDataKey*
              - kms:ReEncrypt*

CodePipeline cross-account actions need to allow these permissions on the artifact bucket's KMS key resource based policy for general usage. From Create a pipeline in CodePipeline that uses resources from another AWS account - Prerequisite: Create an AWS KMS encryption key, step 6 walks through creating the KMS key using the console:

In Define Key Usage Permissions, under This Account, select the name of the service role for the pipeline (for example, CodePipeline_Service_Role). Under Other AWS accounts, choose Add another AWS account. Enter the account ID for AccountB to complete the ARN, and then choose Next.

This step will generate the following statement in the key's policy:

{
            "Sid": "Allow use of the key",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<CROSS_ACCOUNT>:root"
            },
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": "*"
        }

And later under subheading "Configure policies and roles in the account that owns the AWS resource (AccountB)", these permissions are added to the cross-account role. So for key usage, we need the kms:Encrypt, kms:GenerateDataKey*, and kms:ReEncrypt* added back.

Additional Information/Context

No response

ADF Version

4.0.0

Contributing a fix?

  • Yes, I am working on a fix to resolve this issue

Tasks
Beta Give feedback
  1. Update regional.yml #757
@schoemme schoemme added the bug Something isn't working label Aug 29, 2024
@schoemme schoemme mentioned this issue Aug 29, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@schoemme