-
Notifications
You must be signed in to change notification settings - Fork 9.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
kms:DescribeKey on default S3 KMS key should not be required #3450
Comments
I'm working on getting a gist of the trace.log, but in the meantime here is a grep showing some relevant lines:
|
Editted Debug Output section to link to gist of trace file |
I am also getting same error in exact scenario. Any workaround or solution to this bug? |
I also have this issue. |
I'm able to reproduce this on the latest release (0.24.0). Looks like it's due to how TF tries to keep state consistent when the default S3 key is used. AWS automatically sets the key ID and subsequent reads will return it. Without this code, Terraform plans would think the key changed from "" to the default key ARN. Here is the offending code block (https://github.com/terraform-providers/terraform-provider-aws/blob/master/aws/resource_aws_s3_bucket_object.go#L297):
I'm wondering if we can simply remove this condition and make |
On version 0.12.6 still getting the same error as above. A role that only has permission to a given key is being assumed by terraform to Put an encrypted object at S3, resulting in DescribeKey being triggered against the arn for default key. |
strange, seems still this isssue isn't solved. |
Hitting this issue right now, too: terraform v0.12.28, AWS provider v2.69.0. This prevents us from managing certain configuration blobs using Terraform. Please fix this; the arguments in favour of this behaviour are not good enough to convince our core infra team to grant more permissions on KMS keys. |
any update on this issue? |
Same issue for me. We are mid 2021 but still no one fix this... |
It is Sep-2021, the issue is still there! Can we have a fix for this asap please. ¦ Error: bucket object KMS: Failed to describe default S3 KMS key (alias/aws/s3): AccessDeniedException: User: arn:aws:sts::xxxxxx:assumed-role/xxxxxxxxx is not authorized to perform: kms:DescribeKey on resource: arn:aws:kms:us-east-1:xxxxxxxx:key/<id of the aws/s3 kms key> Looking at the state file, the kms fields are correctly set.
|
I just ran into this as well with terraform v1.0.8 and AWS provider 3.62.0. We have default encryption configured using our own KMS Key, not alias/aws/s3, and the object was put successfully and the correct KMS key applied for encryption, but now subsequent plans are failing. |
Also arrived at this problem in AWS v4.1 provider. Any comments from team about how to handle this? UPDATE: quick fix was to allow an open |
this is still problem on latest provider version, any plans to fix this ? |
2024 is calling; this issue still forces us to give unnecessary permissions. |
terraform-provider-aws/internal/service/s3/bucket_object.go Lines 510 to 527 in c53a0b0
|
Hi there,
Thank you for opening an issue. Please note that we try to keep the Terraform issue tracker reserved for bug reports and feature requests. For general usage questions, please see: https://www.terraform.io/community.html.
Terraform Version
Terraform 0.10.8
plugin.terraform-provider-aws_v1.9.0_x4
Affected Resource(s)
Please list the resources as a list, for example:
If this issue appears to affect multiple resources, it may be an issue with Terraform's core, so please mention this.
Terraform Configuration Files
Debug Output
https://gist.github.com/55e126e62d3c205c1082891c700fdac5
Expected Behavior
terraform-provider-aws should have only called kms:DescribeKey on the value of the var.kms_key_arn which was "arn:aws:kms:us-east-1:253038043104:key/b0c45cd7-29fa-4b01-a24b-f2bbacbc385f"
Actual Behavior
Instead it called it on arn:aws:kms:us-east-1:253038043104:key/9e96e7f3-34f5-4db0-a0ba-b22dea13e4d7 which is the default S3 KMS Key. No where in the bucket is the default S3 key used, and the role being used does not have or need access to the default S3 KMS key. The error received is:
default S3 KMS key (alias/aws/s3): AccessDeniedException: User: arn:aws:sts::253038043104:assumed-role/adfs-iamtestingdeveloper/vault-ldap-trpf439-aws-trp-ciam-np-253038043104-1519075546-9788 is not authorized to perform: kms:DescribeKey on resource: arn:aws:kms:us-east-1:253038043104:key/9e96e7f3-34f5-4db0-a0ba-b22dea13e4d7
Steps to Reproduce
Please list the steps required to reproduce the issue, for example:
The text was updated successfully, but these errors were encountered: