-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? # to your account
fix(s3-deployment): BucketDeployment
fails when bootstrap stack's StagingBucket
is encrypted with customer managed KMS key
#29540
fix(s3-deployment): BucketDeployment
fails when bootstrap stack's StagingBucket
is encrypted with customer managed KMS key
#29540
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.
A comment requesting an exemption should contain the text Exemption Request
. Additionally, if clarification is needed add Clarification Request
to a comment.
Exemption Request I'm requesting an exemption from updating test and snapshot files in this PR. The only code change in this PR is changing |
@@ -4,6 +4,8 @@ import { Construct } from 'constructs'; | |||
import * as s3deploy from 'aws-cdk-lib/aws-s3-deployment'; | |||
import * as s3 from 'aws-cdk-lib/aws-s3'; | |||
import * as ec2 from'aws-cdk-lib/aws-ec2'; | |||
import * as iam from 'aws-cdk-lib/aws-iam'; | |||
import * as kms from 'aws-cdk-lib/aws-kms'; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why is this change needed?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for reviewing! @GavinZZ
I'm following the guidelines on writing docs in the Rosetta section. Without adding these lines, the new code snippets I added won't compile (e.g. Line 98 of packages/aws-cdk-lib/aws-s3-deployment/README.md, which uses iam.PolicyStatement
). The section also recommends "Utilize the default.ts-fixture that already exists rather than writing new .ts-fixture files", so I'm updating the default ts-fixture file.
It seems that the CI (when I was making the PR) doesn't check if Rosetta compiles, but since this PR is mainly doc changes, I want to make sure the updates can be reflected on the CDK doc site. <-- By this I mean not all committed docs compile when I ran yarn rosetta:extract --strict
locally. I only made sure all aws-s3-deployment
docs compile but didn't touch other subpackages.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@kxue-godaddy thanks for getting back to me so quickly. I agree that the import statement for iam
is necessary since it's used in the README file, but I don't think I see any usage of kms
(other than the IAM actions). Would you please try removing the kms
import statement and re-ran the command?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I removed the kms
line and reran the command. It shows the following error:
aws-cdk-lib.aws_s3_deployment.Source#bucket-example.ts:24:18 - error TS2304: Cannot find name 'kms'.
24 encryptionKey: kms.Key.fromKeyArn(
The kms
import line is needed by packages/aws-cdk-lib/aws-s3-deployment/lib/source.ts, where I added an example for Source.bucket
via the @example
tag.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
oh nice, thank you. Didn't notice that there's a kms
usage here.
Agree that no test is needed. Just have one question on the |
✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thank you for contributing and answering my questions.
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
Looks like "Queue: Embarked in merge queue" was not successful because I didn't allow workflow runs in my fork repo. Just updated that and I will trigger mergify again. |
@Mergifyio refresh |
✅ Pull request refreshed |
Mergify still doesn't work. Error message is:
I'm going to click the "Update branch" button on this PR and see what happens. |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
Mergify reports an error for "Queue: Embarked in merge queue" after PR approval. I tried clicking the "Update branch" button and mergify dismissed your approval as stale. Could you approve again? The changes are the same. Sorry! |
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
Issue #25100
Closes #25100.
Reason for this change
When the CDK bootstrap stack's
StagingBucket
is encrypted with a customer managed KMS key whose key policy does not include wildcard KMS permissions similar to those of the S3 managed KMS key,BucketDeployment
fails because the Lambda's execution role doesn't get thekms:Decrypt
permission necessary to download from the bucket.In addition, if one of the sources for
BucketDeployment
comes from theSource.bucket
static method, and the bucket is an "out-of-app imported reference" created froms3.Bucket.fromBucketName
, the bucket'sencryptionKey
attribute isnull
and the current code won't add thekms:Decrypt
permission on the bucket's encryption key to the Lambda's execution role. If this bucket is additionally encrypted with a customer managed KMS key without sufficient resource-based policy, the deployment fails as well.Description of changes
It's not easy to make the code "just work" in every situation, because there's no way to pinpoint the source bucket's encryption key ARN without using another custom resource, which is a heavy-lifting and it's hard to give this new Lambda a reasonable and minimal set of execution role permissions.
Therefore, this PR resolves the issue by changing
BucketDeployment.handlerRole
fromprivate readonly
topublic readonly
, and adding documentations on how to handle errors resulting from "not authorized to perform: kms:Decrypt". The current code allows customizinghandlerRole
by passing inBucketDeploymentProps.role
. This change makes the customization easier because users don't need to manually add the S3 permissions.The only code change is on the visibility of
BucketDeployment.handlerRole
. All other changes are documentations.I proposed 4 possible changes in my comment to Issue #25100, and only the first one (changing visibility) is pursued in this PR. The second one was abandoned because the CFN export
CdkBootstrap-hnb659fds-FileAssetKeyArn
is deprecated.Description of how you validated changes
I wrote a CDK app which uses the
BucketDeployment
construct. After manually adding relevant KMS permissions to the Lambda execution role, I verified that the bucket deployment worked in the following two scenarios:StagingBucket
encrypted with a custom KMS key which only has the default key policy.StagingBucket
encrypted with a KMS key from an AWS Organization management account.Checklist
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license