KMSKey object cannot add a key policy by calling the addToResourcePolicy function in cdk code?

0

Hello ! I'm having trouble setting the KMS Key policy via CDK code, here's how I'm dealing with it so far.

First, I create a KMS Key in a stack and then use the "new cdk. CfnOutput" to export the arn of the KMS key.

Then, In another stack use "cdk. Fn.importValue" to import the ARN of the KMS Key, use ”kms.Key.fromKeyArn“ to get the KMS Key object.

Finally, I want to add a key policy to a KMS key by calling the "addToResourcePolicy" method, but after the deployment is completed, I cannot see the added key policy in the AWS KMS console, but there is no error during the deployment.

The CDK uses the language typescript.

The basic invocation process is as follows:

// Stask A
demoKMSKey = new kms.Key(this, 'demoKMSKey', {
    alias: `demoKMSKey`,
});

new cdk.CfnOutput(this, 'demoKMSKey-Arn', {
    exportName: 'demoKMSKey-Arn',
    value: demoKMSKey.keyArn,
});

// Stack B
const demoKMSKey = kms.Key.fromKeyArn(
    this,
    'demoKMSKey',
    cdk.Fn.importValue('demoKMSKey-Arn')
);

demoKMSKey.addToResourcePolicy(
    new iam.PolicyStatement({
        sid: `demoKMSKeyPolicy`,
        effect: iam.Effect.ALLOW,
        principals: [new iam.ArnPrincipal(ec2RoleArn)],
        actions: ['kms:Encrypt', 'kms:Decrypt', 'kms:ReEncrypt*', 'kms:GenerateDataKey*', 'kms:DescribeKey'],
        resources: ['*'],
    })
);

Current KMS Key Policy is:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::12345678901234:root"
            },
            "Action": "kms:*",
            "Resource": "*"
        }
    ]
}

Additional Notes: The user who performs the CDK deployment operation has the kms:* permission on any resources.

1개 답변
1
수락된 답변

Hello.

If you add a policy to "new kms.Key" as shown below, will it be displayed?
https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html

demoKMSKey = new kms.Key(this, 'demoKMSKey', {
    alias: `demoKMSKey`,
    policy: ...
});
profile picture
전문가
답변함 한 달 전
profile picture
전문가
검토됨 한 달 전
  • After I added the policy object[PolicyDocument], I performed the deployment and got the following error: Resource handler returned message: "Service returned error code MalformedPolicyDocumentException (Service: Kms, Status Code: 400, Request ID: 4b9b)" (RequestToken: bea34c2, HandlerErrorCode: InvalidRequest)

  • Then I also used the addToResourcePolicy method to add the policy in the stack of creating KMSKey, but I got the same error when deploying.

  • For the time being, I was able to confirm that it works with the code below. I was able to create code that can be referenced within the same stack.

    import * as cdk from 'aws-cdk-lib';
    import { Construct } from 'constructs';
    import * as kms from 'aws-cdk-lib/aws-kms';
    import * as iam from 'aws-cdk-lib/aws-iam';
    
    export class CdkAppStack extends cdk.Stack {
      constructor(scope: Construct, id: string, props?: cdk.StackProps) {
        super(scope, id, props);
    
        const demoKMSKey = new kms.Key(this, 'demoKMSKey', {
          alias: `demoKMSKey`,
        });
    
        const ec2Role = new iam.Role(this, "Role",{
          roleName: "test-assume",
          assumedBy: new iam.ServicePrincipal('ec2.amazonaws.com')
        });
    
        const ec2RoleArn= ec2Role.roleArn
    
        demoKMSKey.addToResourcePolicy(
          new iam.PolicyStatement({
              sid: `demoKMSKeyPolicy`,
              effect: iam.Effect.ALLOW,
              principals: [new iam.ArnPrincipal(ec2RoleArn)],
              actions: ['kms:Encrypt', 'kms:Decrypt', 'kms:ReEncrypt*', 'kms:GenerateDataKey*', 'kms:DescribeKey'],
              resources: ['*'],
          })
        );
    
        new cdk.CfnOutput(this, 'demoKMSKey-Arn', {
          exportName: 'demoKMSKey-Arn',
          value: demoKMSKey.keyArn,
        });
      }
    }
    
  • I haven't been able to confirm this due to lack of time, but it may be possible to reference KMS from another stack using the method described in the document below. https://repost.aws/knowledge-center/cdk-cross-stack-reference

  • Thanks for you help, I'm going to keep investigating. Could you tell me the permissions of your deployment user? Thanks again.

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠