aws-deployment-framework icon indicating copy to clipboard operation
aws-deployment-framework copied to clipboard

Published 20 hours ago verified publisher icon awslabs

[Bug]: DeploymentFrameworkRegionalKMSKey "Allow use of the key" missing permissions for cross-account

Open schoemme opened this issue 5 months ago • 0 comments

Is there an existing issue for this?

  • [X] I have searched the existing issues

Describe the bug

Cross-account pipeline deploy actions fail with an error due to missing KMS key resource-based policy permissions for non-admin principals.

Expected Behavior

Cross-region + cross-account deployment actions succeed.

Current Behavior

Cross-account pipeline deploy actions fail with error:

Replication of artifact '<ARTIFACT>' failed: Failed replicating artifact from <BUCKET_A> in <REGION_A> to <BUCKET_B> in <REGION_B>: Check source and destination artifact buckets exist and <PIPELINE_SERVICE_ROLE> has permission to access it.

Steps To Reproduce

No response

Possible Solution

After troubleshooting, narrowed down issue to the removal of the following permissions from DeploymentFrameworkRegionalKMSKey's "Allow use of the key" statement:

              - kms:Encrypt
              - kms:GenerateDataKey*
              - kms:ReEncrypt*

CodePipeline cross-account actions need to allow these permissions on the artifact bucket's KMS key resource based policy for general usage. From Create a pipeline in CodePipeline that uses resources from another AWS account - Prerequisite: Create an AWS KMS encryption key, step 6 walks through creating the KMS key using the console:

In Define Key Usage Permissions, under This Account, select the name of the service role for the pipeline (for example, CodePipeline_Service_Role). Under Other AWS accounts, choose Add another AWS account. Enter the account ID for AccountB to complete the ARN, and then choose Next.

This step will generate the following statement in the key's policy:

{
            "Sid": "Allow use of the key",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<CROSS_ACCOUNT>:root"
            },
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": "*"
        }

And later under subheading "Configure policies and roles in the account that owns the AWS resource (AccountB)", these permissions are added to the cross-account role. So for key usage, we need the kms:Encrypt, kms:GenerateDataKey*, and kms:ReEncrypt* added back.

Additional Information/Context

No response

ADF Version

4.0.0

Contributing a fix?

  • [X] Yes, I am working on a fix to resolve this issue
### Tasks
- [ ] https://github.com/awslabs/aws-deployment-framework/pull/757

schoemme avatar Aug 29 '24 15:08 schoemme