serverless-step-functions
serverless-step-functions copied to clipboard
serverless-operations
Autogenerated IAM role for SFN is missing KMS permissions
This is a Bug Report
Description
For bug reports:
- What went wrong? We configured a DynamoDB to use KMS encryption. We configured SFN to read from DynamoDB.
Autogenerated IAM role used by SFN is missing permissions (kms key usage)
-
What did you expect should have happened? IAM role should have all required permissions which the SFN needs
-
What was the config you used?
DBTable:
Type: AWS::DynamoDB::Table
Properties:
AttributeDefinitions:
xxx
BillingMode: PAY_PER_REQUEST
KeySchema:
xxx
SSESpecification:
SSEEnabled: true
SSEType: 'KMS'
KMSMasterKeyId: !Ref KMSKey
TableName: xyz
KMSKey:
Type: AWS::KMS::Key
Properties:
Description: 'KMS key for ${self:service}'
Enabled: true
KeyPolicy:
Version: '2012-10-17'
Id: ${self:service}-key
Statement:
- Sid: Allow access for Key Administrators
Effect: Allow
Principal:
AWS:
- !Join
- ''
- - 'arn:aws:iam::'
- { Ref: "AWS::AccountId" }
- ':role/abc'
- !Join
- ''
- - 'arn:aws:iam::'
- { Ref: "AWS::AccountId" }
- ':role/xyz'
Action:
- 'kms:Create*'
- 'kms:Describe*'
- 'kms:Enable*'
- 'kms:List*'
- 'kms:Put*'
- 'kms:Update*'
- 'kms:Revoke*'
- 'kms:Disable*'
- 'kms:Get*'
- 'kms:Delete*'
- 'kms:TagResource'
- 'kms:UntagResource'
- 'kms:ScheduleKeyDeletion'
- 'kms:CancelKeyDeletion'
Resource: '*'
- Sid: Allow use of the key
Effect: Allow
Principal:
AWS:
- !Join
- ''
- - 'arn:aws:iam::'
- { Ref: "AWS::AccountId" }
- ':root'
Action:
- 'kms:Encrypt'
- 'kms:Decrypt'
- 'kms:ReEncrypt*'
- 'kms:GenerateDataKey*'
- 'kms:DescribeKey'
- 'kms:CreateGrant'
Resource: '*'
- Sid: Allow dynamoDB&StepFunctions to use this key
Effect: Allow
Principal:
Service:
- 'dynamodb.amazonaws.com'
- 'states.amazonaws.com'
Action:
- 'kms:Encrypt'
- 'kms:Decrypt'
- 'kms:ReEncrypt*'
- 'kms:GenerateDataKey*'
- 'kms:DescribeKey'
- 'kms:CreateGrant'
Resource: '*'
GetTrainingState:
Type: Task
Resource: arn:aws:states:::dynamodb:getItem
- What stacktrace or error message from your provider did you see? Error: DynamoDB.AmazonDynamoDBException Cause:
KMS key access denied error: com.amazonaws.services.kms.model.AWSKMSException: The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access. (Service: AWSKMS; Status Code: 400; Error Code: AccessDeniedException; Request ID: abc Proxy: null) (Service: AmazonDynamoDBv2; Status Code: 400; Error Code: AccessDeniedException; Request ID: xyz; Proxy: null)
For feature proposals:
- Add permissions required to use encrypted components to SFN role
- Manually adding this to SFN role solved problem:
{
"Action": [
"kms:*"
],
"Resource": [
"abc"
],
"Effect": "Allow"
}
Additional Data
- Serverless Framework Core Version you're using: 2.4.0
- The Plugin Version you're using: 2.27.1
- Operating System: OSx 10.15.7 or Docker image python:3.7-slim-stretch
Any news on this, now with the distributed map this is also an issue when using S3 as source. Using this will result in the following error:
Access denied. Ensure the correct permissions are added to your state machine's execution role. | Message from S3: The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access.
