- 최신
- 최다 투표
- 가장 많은 댓글
Hello.
Check whether the target IAM role is allowed in the key policy of the customer key used for artifact S3 encryption.
Based on the content of the error message, I believe that the operation is probably not allowed by the key policy of the KMS key.
https://docs.aws.amazon.com/codepipeline/latest/userguide/pipelines-create-cross-account.html#pipelines-create-cross-account-create-key
It seems like the IAM role cdk-hnb659fds-deploy-role-730335647464-ap-south-1 lacks the necessary permissions to perform the kms:Decrypt action on the resource associated with the ciphertext in the ap-south-1 region. This error typically arises when the IAM policy attached to the role does not grant adequate permissions for the required action.
To resolve this issue: -
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"cloudformation:CreateChangeSet",
"cloudformation:DeleteChangeSet",
"cloudformation:DescribeChangeSet",
"cloudformation:DescribeStacks",
"cloudformation:ExecuteChangeSet",
"cloudformation:CreateStack",
"cloudformation:UpdateStack"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "CloudFormationPermissions"
},
{
"Condition": {
"StringNotEquals": {
"s3:ResourceAccount": "730335647464"
}
},
"Action": [
"s3:GetObject*",
"s3:GetBucket*",
"s3:List*",
"s3:Abort*",
"s3:DeleteObject*",
"s3:PutObject*"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "PipelineCrossAccountArtifactsBucket"
},
{
"Condition": {
"StringEquals": {
"kms:ViaService": "s3.ap-south-1.amazonaws.com"
}
},
"Action": [
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "PipelineCrossAccountArtifactsKey"
},
{
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::730335647464:role/cdk-hnb659fds-cfn-exec-role-730335647464-ap-south-1",
"Effect": "Allow"
},
{
"Action": [
"cloudformation:DescribeStackEvents",
"cloudformation:GetTemplate",
"cloudformation:DeleteStack",
"cloudformation:UpdateTerminationProtection",
"sts:GetCallerIdentity",
"cloudformation:GetTemplateSummary"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "CliPermissions"
},
{
"Action": [
"s3:GetObject*",
"s3:GetBucket*",
"s3:List*"
],
"Resource": [
"arn:aws:s3:::cdk-hnb659fds-assets-730335647464-ap-south-1",
"arn:aws:s3:::cdk-hnb659fds-assets-730335647464-ap-south-1/*"
],
"Effect": "Allow",
"Sid": "CliStagingBucket"
},
{
"Action": [
"ssm:GetParameter"
],
"Resource": [
"arn:aws:ssm:ap-south-1:730335647464:parameter/cdk-bootstrap/hnb659fds/version"
],
"Effect": "Allow",
"Sid": "ReadVersion"
},
{
"Action": "kms:Decrypt",
"Resource": "arn:aws:kms:ap-south-1:YOUR_ACCOUNT_ID:key/YOUR_KMS_KEY_ID",
"Effect": "Allow",
"Sid": "KMSDecrypt"
}
]
}
Replace YOUR_ACCOUNT_ID and YOUR_KMS_KEY_ID with your AWS account ID and the KMS key ID, respectively.
Thank you! Customer managed key policy has bee fixed.