Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Error: User not authorised to perform kms on AWS KMS Resource in Amazon S3 in my CodePipeline Codedeploy

0

I encountered an error while deploying my pipeline code to Amazon S3, specifically related to KMS decryption. Below are the details:

Error message
User: arn:aws:sts::12345532222333:assumed-role/DeploymentRole/1721586989833 is not authorized to perform: kms:Decrypt on the resource associated with this ciphertext because the resource does not exist in this Region, no resource-based policies allow access, or a resource-based policy explicitly denies access (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: X1ZZ24PS4T0KZRJM; S3 Extended Request ID: VvX9LYNvFG9Nuf6SMi6pM8bNjaob2vbTsIIS7bkx2PPrh6G2lUvDtKE4cYNXQMyvKOb7mf5x6qw=; Proxy: null)

Enter image description here

Below is my KMSkey Setup in my Tooling Account

  SharedKMSKey:
    Type: 'AWS::KMS::Key'
    Properties:
      Description: 'AWS KMS to encrypt artifacts for pipelines stored in S3 buckets.'
      KeyPolicy:
        Version: "2012-10-17"
        Id: "key-consolepolicy-3"
        Statement:
        - Sid: "EnableIAMUserPermissions"
          Effect: "Allow"
          Action: ["kms:*"]
          Principal:
            AWS: [!Sub "arn:aws:iam::${ToolingAccountID}:root"]
          Resource: "*"
        - Sid: "AllowUseOfTheKey"
          Effect: "Allow"
          Action: ['kms:Encrypt', 'kms:Decrypt', 'kms:ReEncrypt*', 'kms:GenerateDataKey*', 'kms:DescribeKey']
          Principal: {AWS: "*"}
          Resource: "*"
          Condition: #[Only Allow access to those IAM roles whose ARNs Match]
            ArnLike:
              aws:PrincipalArn:
              - !Sub "arn:aws:iam::${StagingAccountID}:role/*"
              - !Sub "arn:aws:iam::${ProductionAccountID}:role/*"
Topics
DevOpsSecurity, Identity, & ComplianceDeveloper Tools
Tags
AWS CodeDeployAWS Identity and Access ManagementDevOpsAWS CodePipeline
Language
English
asked a year ago7.2K views
4 Answers
1

You'll have to permit access to kms:Decrypt and kms:GenerateDataKey (without the wildcard) also in the policies attached to the IAM role.

KMS is one of the two exceptions to the general intra-account policy evaluation rules in that it requires access to be permitted explicitly to the role, either by referencing the role ARN explicitly in the key policy, or permitting access more generally in both the identity-based policies and the key policy.

EXPERT
answered a year ago
  • Nafiu
    a year ago

    Can you show me Pls how i can achieve this Thanks

  • Nafiu
    a year ago

    Thanks, it also turned out that i didn't also configure the pipeline Articat store Encryption Key with KMS

    EncryptionKey: {"Type": KMS, "Id": !Ref KMSKeyARN }

1

If you're doing this with CloudFormation, you can declare an IAM policy such as the one shown below (with the proper parameters substituted) and attach it to the IAM role by referencing KmsAccessPolicy in the ManagedPolicyArns property of the AWS::IAM::Role in your template. This example assumes that your S3 bucket is using the bucket key feature, as most buckets are:

KmsAccessPolicy:
  Type: 'AWS::IAM::ManagedPolicy'
  Properties: 
    Description: 'Permissions policy for KMS access by DeploymentRole'
    PolicyDocument:
      Version: '2012-10-17'
      Statement:
        - Sid: 'AllowKmsAccess'
          Effect: 'Allow'
          Action: ['kms:Decrypt','kms:GenerateDataKey']
          Resource: !Ref KmsKeyArn
          Condition:
            StringEquals:
              'kms:ViaService': !Sub 's3.${AWS::Region}.amazonaws.com'
              'kms:EncryptionContext:aws:s3:arn': !Sub '${S3Bucket.Arn}'
EXPERT
answered a year ago
  • Nafiu
    a year ago

    Thanks Leo K, it also turned out that i didn't also configure the pipeline Articat store Encryption Key with KMS

    EncryptionKey: {"Type": KMS, "Id": !Ref KMSKeyARN }

1

For the same account:

  1. If you allowed the root in the principal section of the KMS policy. Then, you would need to grant access via the IAM policy as well. You can attach the KMS related actions to the role as IAM policy who is accessing the KMS key

OR

2.You can directly allow the IAM role who is accessing the KMS key in the principal section of the KMS policy.

AWS
SUPPORT ENGINEER
answered a year ago
  • Nafiu
    a year ago

    Thanks Ankita , it also turned out that i didn't also configure the pipeline Articat store Encryption Key with KMS

    EncryptionKey: {"Type": KMS, "Id": !Ref KMSKeyARN }

0
Accepted Answer

We were not setting the KMS encryption key so the default was being used. If your attempting to access cross-account, then the keys won't match. So, adding the EncryptionKey property on the CodePipeline ensures your using the same key cross-account for artifact push/pull activity:

Enter image description here

answered a year ago
EXPERT
reviewed 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content