- Newest
- Most votes
- Most comments
I just executed a quick test, and it worked with the following elements:
KMS Key policy: Make sure to have something like this in the policy:
{
"Sid": "Allow access for EB Pipes",
"Effect": "Allow",
"Principal": {
"Service": "pipes.amazonaws.com"
},
"Action": [
"kms:GenerateDataKey*",
"kms:Decrypt"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "111222333444"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:pipes:us-east-1:111222333444:pipe/test-pipe"
}
}
}
The service role for pipes should have the following permission:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": "arn:aws:kms:us-east-1:111222333444:key/KEY-ID"
}
]
}
And last but not least, SNS Access Policy:
{
"Sid": "allow_pipes",
"Effect": "Allow",
"Principal": {
"Service": "pipes.amazonaws.com"
},
"Action": "SNS:Publish",
"Resource": "arn:aws:sns:us-east-1:111222333444:test-topic",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "111222333444"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:pipes:us-east-1:111222333444:pipe/test-pipe"
}
}
}
Make sure to replace all account IDs and resource ARNs. In general, try to create policies as restrictive as possible (see "Conditions" blocks above).
I know that you already have many of those elements in your configuration, for the sake of completeness I still wanted to add them here. Hope this helps you resolving the issue!
PS: Maybe try an e-mail subscriber on the SNS topic, to make sure that the issue is not on the receiver side.
I don’t see any permissions in your KMS policy for the sqs queue?
Have you looked in cloudtrail to help debug the missing permissions and to confirm the service principle?
I Ve already tried that,
The eventbridge pipes to me is pipes but as I could not find any helpful resource I tried that with no success,
The events represent the service around eventbus and cloudwatch events
Just updated the answer. Can you rereview
And I’d assume pipes would need encrypt also? Cloudtrail should help
Actualy my target is SNS and as you see the pipe role has the sns:Publish Unfortunately i did not have access to cloudtrail i tried but my access is not yet approved :(
Arh sorry sns my friend. Does the kms policy allow sns to decrypt too?
Relevant content
- asked 8 months ago
- asked 2 months ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated a year ago
Thanks , @Michael,
Cool and appreciate your help
I ll give it a try just this morning, sure it seems logic to work and I see well my missing parts
@Michael
Actualy your solution works with no problem and i would like to tag it as answer but there is one part that is extra and you dont need it
The KMS policy does not need the statement for SNS service, in reality and may be based on my understanding of SNS encryption , the SNS service has no need for Decrypt / GenerateDataKey, theses two actions are necessary at transit boundaries and not SNS by its own
please , edit your excellent response before marking it as an answer
@Eidivandi Thanks for letting me know and for the confirmation! Just edited the answer. Also, thank you for taking the time to follow up and accept the answer!