aws
kms: All principals in a PolicyStatement must have the same Conditions for cross-account policy
Describe the bug
CDK synth is having Resolution error: All principals in a PolicyStatement must have the same Conditions by adding a cross-account plicy.
Expected Behavior
synthesize with no error
Current Behavior
Error: Resolution error: Resolution error: Resolution error: All principals in a PolicyStatement must have the same Conditions (got '{"StringEquals":{"kms:ViaService":"secretsmanager.us-east-1.amazonaws.com"}}' and '{}'). Use multiple statements instead..
Object creation stack:
at stack traces disabled..
at PolicyStatement.addPrincipalConditions (/projects/issue-triage/node_modules/aws-cdk-lib/aws-iam/lib/policy-statement.js:2:7201)
at PolicyStatement.addPrincipals (/projects/issue-triage/node_modules/aws-cdk-lib/aws-iam/lib/policy-statement.js:2:2407)
at new PolicyStatement (/projects/issue-triage/node_modules/aws-cdk-lib/aws-iam/lib/policy-statement.js:2:663)
at PolicyStatement.copy (/projects/issue-triage/node_modules/aws-cdk-lib/aws-iam/lib/policy-statement.js:2:6086)
at mergeIfCombinable (/projects/issue-triage/node_modules/aws-cdk-lib/aws-iam/lib/private/merge-statements.js:1:1847)
at onePass (/projects/issue-triage/node_modules/aws-cdk-lib/aws-iam/lib/private/merge-statements.js:1:1032)
at mergeStatements (/projects/issue-triage/node_modules/aws-cdk-lib/aws-iam/lib/private/merge-statements.js:1:660)
at PolicyDocument._maybeMergeStatements (/projects/issue-triage/node_modules/aws-cdk-lib/aws-iam/lib/policy-document.js:1:3033)
at PolicyDocument.resolve (/projects/issue-triage/node_modules/aws-cdk-lib/aws-iam/lib/policy-document.js:1:1755)
at RememberingTokenResolver.resolveToken (/projects/issue-triage/node_modules/aws-cdk-lib/core/lib/resolvable.js:1:1401)
Reproduction Steps
export class DummyStack extends Stack {
constructor(scope: Construct, id: string, props: StackProps) {
super(scope, id, props);
const dummyKey = new kms.Key(this, 'Key', {
alias: 'keyalias',
enableKeyRotation: true,
keyUsage: KeyUsage.ENCRYPT_DECRYPT,
keySpec: KeySpec.SYMMETRIC_DEFAULT,
});
new secrets.Secret(this, 'Secret', {
encryptionKey: dummyKey,
});
const crossAccountAccessPolicy = new iam.PolicyStatement({
actions: [
'kms:CreateGrant',
'kms:Decrypt',
'kms:DescribeKey',
'kms:Encrypt',
'kms:GenerateDataKey*',
'kms:ReEncrypt*'
],
principals: [
new iam.AccountPrincipal('123456789012'),
],
resources: ['*'],
conditions: {
'StringEquals': { 'kms:ViaService': 'secretsmanager.us-east-1.amazonaws.com'}
}
})
dummyKey.addToResourcePolicy(crossAccountAccessPolicy);
}
}
Possible Solution
No response
Additional Information/Context
No response
CDK CLI Version
2.126.0 (build fb74c41)
Framework Version
No response
Node.js Version
v20.6.1
OS
linux
Language
TypeScript
Language Version
No response
Other information
No response
Can't reproduce this issue. Looking at the internal tracking ticket, this happens when encryptionKey: dummyKey creates the policy with same action/condition as crossAccountAccessPolicy which will cause conflicts.
When I run the synth, condition created by encryptionKey: dummyKey is
Condition:
StringEquals:
kms:ViaService:
Fn::Join:
- ""
- - secretsmanager.
- Ref: AWS::Region
- .amazonaws.com
while the condition in crossAccountAccessPolicy is
{
'StringEquals': { 'kms:ViaService': 'secretsmanager.us-east-1.amazonaws.com'}
}
The region is not resolved in the output template hence not causing conflicts. I'm going to close the issue for now. If this issue still exists, feel free to re-open it.
Comments on closed issues and PRs are hard for our team to see. If you need help, please open a new issue that references this one.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}