cdk-constructs
cdk-constructs copied to clipboard
Published
20 hours ago •
cloudcomponents
cloudcomponents
bug(dynamodb-seeder): CustomResource cannot access KMS key
When a DynamoDB table has a customer-managed CMK, the following error occurs:
Received response status [FAILED] from custom resource. Message returned: KMS key access denied error: com.amazonaws.services.kms.model.AWSKMSException: The ciphertext refers to a customer master key that does
not exist, does not exist in this region, or you are not allowed to access. (Service: AWSKMS; Status Code: 400; Error Code: AccessDeniedException; Request ID: d7d7828b-5a92-40d3-b306-e3cfae47f761; Proxy: null)
(RequestId: fb5a9bb1-a81c-4504-a541-b172aa2797a9)
#99 gives the appropriate actions to the IAM role policy for the lambda, but it seems that the CustomResource does not have access to the KMS key...
@hupe1980 🙃
