- Le plus récent
- Le plus de votes
- La plupart des commentaires
Hello.
Check whether the target IAM role is allowed in the key policy of the customer key used for artifact S3 encryption.
Based on the content of the error message, I believe that the operation is probably not allowed by the key policy of the KMS key.
https://docs.aws.amazon.com/codepipeline/latest/userguide/pipelines-create-cross-account.html#pipelines-create-cross-account-create-key
It seems like the IAM role cdk-hnb659fds-deploy-role-730335647464-ap-south-1 lacks the necessary permissions to perform the kms:Decrypt action on the resource associated with the ciphertext in the ap-south-1 region. This error typically arises when the IAM policy attached to the role does not grant adequate permissions for the required action.
To resolve this issue: -
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"cloudformation:CreateChangeSet",
"cloudformation:DeleteChangeSet",
"cloudformation:DescribeChangeSet",
"cloudformation:DescribeStacks",
"cloudformation:ExecuteChangeSet",
"cloudformation:CreateStack",
"cloudformation:UpdateStack"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "CloudFormationPermissions"
},
{
"Condition": {
"StringNotEquals": {
"s3:ResourceAccount": "730335647464"
}
},
"Action": [
"s3:GetObject*",
"s3:GetBucket*",
"s3:List*",
"s3:Abort*",
"s3:DeleteObject*",
"s3:PutObject*"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "PipelineCrossAccountArtifactsBucket"
},
{
"Condition": {
"StringEquals": {
"kms:ViaService": "s3.ap-south-1.amazonaws.com"
}
},
"Action": [
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "PipelineCrossAccountArtifactsKey"
},
{
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::730335647464:role/cdk-hnb659fds-cfn-exec-role-730335647464-ap-south-1",
"Effect": "Allow"
},
{
"Action": [
"cloudformation:DescribeStackEvents",
"cloudformation:GetTemplate",
"cloudformation:DeleteStack",
"cloudformation:UpdateTerminationProtection",
"sts:GetCallerIdentity",
"cloudformation:GetTemplateSummary"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "CliPermissions"
},
{
"Action": [
"s3:GetObject*",
"s3:GetBucket*",
"s3:List*"
],
"Resource": [
"arn:aws:s3:::cdk-hnb659fds-assets-730335647464-ap-south-1",
"arn:aws:s3:::cdk-hnb659fds-assets-730335647464-ap-south-1/*"
],
"Effect": "Allow",
"Sid": "CliStagingBucket"
},
{
"Action": [
"ssm:GetParameter"
],
"Resource": [
"arn:aws:ssm:ap-south-1:730335647464:parameter/cdk-bootstrap/hnb659fds/version"
],
"Effect": "Allow",
"Sid": "ReadVersion"
},
{
"Action": "kms:Decrypt",
"Resource": "arn:aws:kms:ap-south-1:YOUR_ACCOUNT_ID:key/YOUR_KMS_KEY_ID",
"Effect": "Allow",
"Sid": "KMSDecrypt"
}
]
}
Replace YOUR_ACCOUNT_ID and YOUR_KMS_KEY_ID with your AWS account ID and the KMS key ID, respectively.
Contenus pertinents
- demandé il y a un an
- demandé il y a un an
- demandé il y a 3 mois
- demandé il y a un an
- AWS OFFICIELA mis à jour il y a 2 ans
- AWS OFFICIELA mis à jour il y a 5 mois
Thank you! Customer managed key policy has bee fixed.