En utilisant AWS re:Post, vous acceptez les AWS re:Post Conditions d’utilisation
AWS re:Postre:Post

IAM Permission issue

0

Hi, During Prepare step in deployment in our pipeline, we are getting the following permission error. Pipeline is part of root account and the stage that we try to deploy is another account. Both is linked in AWS Organizations and IAM Identity Center.

User: arn:aws:sts::730335647464:assumed-role/cdk-hnb659fds-deploy-role-730335647464-ap-south-1/1714469899562 is not authorized to perform: kms:Decrypt 
on the resource associated with this ciphertext because the resource does not exist in this Region, no resource-based policies allow access, or a resource-based policy explicitly 
denies access (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: R5ETGAG98E7SFM4V; S3 Extended Request ID: 
6i0h03zjDJoA+2sytSKLJT3TKCSSiRkTPCvc8/H8a439M6XyeCE36ZCiEfFwF67iqOIfIWH1Td4=; Proxy: null)

Policy attached to --- cdk-hnb659fds-deploy-role-730335647464-ap-south-1

{
"Version": "2012-10-17",
"Statement": [
    {
        "Action": [
            "cloudformation:CreateChangeSet",
            "cloudformation:DeleteChangeSet",
            "cloudformation:DescribeChangeSet",
            "cloudformation:DescribeStacks",
            "cloudformation:ExecuteChangeSet",
            "cloudformation:CreateStack",
            "cloudformation:UpdateStack"
        ],
        "Resource": "*",
        "Effect": "Allow",
        "Sid": "CloudFormationPermissions"
    },
    {
        "Condition": {
            "StringNotEquals": {
                "s3:ResourceAccount": "730335647464"
            }
        },
        "Action": [
            "s3:GetObject*",
            "s3:GetBucket*",
            "s3:List*",
            "s3:Abort*",
            "s3:DeleteObject*",
            "s3:PutObject*"
        ],
        "Resource": "*",
        "Effect": "Allow",
        "Sid": "PipelineCrossAccountArtifactsBucket"
    },
    {
        "Condition": {
            "StringEquals": {
                "kms:ViaService": "s3.ap-south-1.amazonaws.com"
            }
        },
        "Action": [
            "kms:Decrypt",
            "kms:DescribeKey",
            "kms:Encrypt",
            "kms:ReEncrypt*",
            "kms:GenerateDataKey*"
        ],
        "Resource": "*",
        "Effect": "Allow",
        "Sid": "PipelineCrossAccountArtifactsKey"
    },
    {
        "Action": "iam:PassRole",
        "Resource": "arn:aws:iam::730335647464:role/cdk-hnb659fds-cfn-exec-role-730335647464-ap-south-1",
        "Effect": "Allow"
    },
    {
        "Action": [
            "cloudformation:DescribeStackEvents",
            "cloudformation:GetTemplate",
            "cloudformation:DeleteStack",
            "cloudformation:UpdateTerminationProtection",
            "sts:GetCallerIdentity",
            "cloudformation:GetTemplateSummary"
        ],
        "Resource": "*",
        "Effect": "Allow",
        "Sid": "CliPermissions"
    },
    {
        "Action": [
            "s3:GetObject*",
            "s3:GetBucket*",
            "s3:List*"
        ],
        "Resource": [
            "arn:aws:s3:::cdk-hnb659fds-assets-730335647464-ap-south-1",
            "arn:aws:s3:::cdk-hnb659fds-assets-730335647464-ap-south-1/*"
        ],
        "Effect": "Allow",
        "Sid": "CliStagingBucket"
    },
    {
        "Action": [
            "ssm:GetParameter"
        ],
        "Resource": [
            "arn:aws:ssm:ap-south-1:730335647464:parameter/cdk-bootstrap/hnb659fds/version"
        ],
        "Effect": "Allow",
        "Sid": "ReadVersion"
    }
]
}

Trust Relationship:

{
"Version": "2008-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::730335647464:root"
        },
        "Action": "sts:AssumeRole"
    },
    {
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::134514717601:root"
        },
        "Action": "sts:AssumeRole"
    }
]
}
Sujets
Outils de développementSécurité, identité et conformité
Balises
AWS CodePipelineCentre d’identité IAM AWSPolitiques IAM
Langue
English
idesk-dev
demandé il y a un mois175 vues
2 réponses
2
Réponse acceptée

Hello.

Check whether the target IAM role is allowed in the key policy of the customer key used for artifact S3 encryption.
Based on the content of the error message, I believe that the operation is probably not allowed by the key policy of the KMS key.
https://docs.aws.amazon.com/codepipeline/latest/userguide/pipelines-create-cross-account.html#pipelines-create-cross-account-create-key

profile picture
EXPERT
Riku_Kobayashi
répondu il y a un mois
profile picture
EXPERT
Oleksii Bebych
vérifié il y a un mois
profile picture
EXPERT
Adeleke Adebowale J
vérifié il y a un mois
  • idesk-dev
    il y a un mois

    Thank you! Customer managed key policy has bee fixed.

2

It seems like the IAM role cdk-hnb659fds-deploy-role-730335647464-ap-south-1 lacks the necessary permissions to perform the kms:Decrypt action on the resource associated with the ciphertext in the ap-south-1 region. This error typically arises when the IAM policy attached to the role does not grant adequate permissions for the required action.

To resolve this issue: -

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "cloudformation:CreateChangeSet",
                "cloudformation:DeleteChangeSet",
                "cloudformation:DescribeChangeSet",
                "cloudformation:DescribeStacks",
                "cloudformation:ExecuteChangeSet",
                "cloudformation:CreateStack",
                "cloudformation:UpdateStack"
            ],
            "Resource": "*",
            "Effect": "Allow",
            "Sid": "CloudFormationPermissions"
        },
        {
            "Condition": {
                "StringNotEquals": {
                    "s3:ResourceAccount": "730335647464"
                }
            },
            "Action": [
                "s3:GetObject*",
                "s3:GetBucket*",
                "s3:List*",
                "s3:Abort*",
                "s3:DeleteObject*",
                "s3:PutObject*"
            ],
            "Resource": "*",
            "Effect": "Allow",
            "Sid": "PipelineCrossAccountArtifactsBucket"
        },
        {
            "Condition": {
                "StringEquals": {
                    "kms:ViaService": "s3.ap-south-1.amazonaws.com"
                }
            },
            "Action": [
                "kms:Decrypt",
                "kms:DescribeKey",
                "kms:Encrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*"
            ],
            "Resource": "*",
            "Effect": "Allow",
            "Sid": "PipelineCrossAccountArtifactsKey"
        },
        {
            "Action": "iam:PassRole",
            "Resource": "arn:aws:iam::730335647464:role/cdk-hnb659fds-cfn-exec-role-730335647464-ap-south-1",
            "Effect": "Allow"
        },
        {
            "Action": [
                "cloudformation:DescribeStackEvents",
                "cloudformation:GetTemplate",
                "cloudformation:DeleteStack",
                "cloudformation:UpdateTerminationProtection",
                "sts:GetCallerIdentity",
                "cloudformation:GetTemplateSummary"
            ],
            "Resource": "*",
            "Effect": "Allow",
            "Sid": "CliPermissions"
        },
        {
            "Action": [
                "s3:GetObject*",
                "s3:GetBucket*",
                "s3:List*"
            ],
            "Resource": [
                "arn:aws:s3:::cdk-hnb659fds-assets-730335647464-ap-south-1",
                "arn:aws:s3:::cdk-hnb659fds-assets-730335647464-ap-south-1/*"
            ],
            "Effect": "Allow",
            "Sid": "CliStagingBucket"
        },
        {
            "Action": [
                "ssm:GetParameter"
            ],
            "Resource": [
                "arn:aws:ssm:ap-south-1:730335647464:parameter/cdk-bootstrap/hnb659fds/version"
            ],
            "Effect": "Allow",
            "Sid": "ReadVersion"
        },
        {
            "Action": "kms:Decrypt",
            "Resource": "arn:aws:kms:ap-south-1:YOUR_ACCOUNT_ID:key/YOUR_KMS_KEY_ID",
            "Effect": "Allow",
            "Sid": "KMSDecrypt"
        }
    ]
}

Replace YOUR_ACCOUNT_ID and YOUR_KMS_KEY_ID with your AWS account ID and the KMS key ID, respectively.

profile picture
kranthi putti
répondu il y a un mois
profile picture
EXPERT
Adeleke Adebowale J
vérifié il y a un mois

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions

Contenus pertinents