- Newest
- Most votes
- Most comments
Hello.
Check whether the target IAM role is allowed in the key policy of the customer key used for artifact S3 encryption.
Based on the content of the error message, I believe that the operation is probably not allowed by the key policy of the KMS key.
https://docs.aws.amazon.com/codepipeline/latest/userguide/pipelines-create-cross-account.html#pipelines-create-cross-account-create-key
It seems like the IAM role cdk-hnb659fds-deploy-role-730335647464-ap-south-1 lacks the necessary permissions to perform the kms:Decrypt action on the resource associated with the ciphertext in the ap-south-1 region. This error typically arises when the IAM policy attached to the role does not grant adequate permissions for the required action.
To resolve this issue: -
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"cloudformation:CreateChangeSet",
"cloudformation:DeleteChangeSet",
"cloudformation:DescribeChangeSet",
"cloudformation:DescribeStacks",
"cloudformation:ExecuteChangeSet",
"cloudformation:CreateStack",
"cloudformation:UpdateStack"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "CloudFormationPermissions"
},
{
"Condition": {
"StringNotEquals": {
"s3:ResourceAccount": "730335647464"
}
},
"Action": [
"s3:GetObject*",
"s3:GetBucket*",
"s3:List*",
"s3:Abort*",
"s3:DeleteObject*",
"s3:PutObject*"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "PipelineCrossAccountArtifactsBucket"
},
{
"Condition": {
"StringEquals": {
"kms:ViaService": "s3.ap-south-1.amazonaws.com"
}
},
"Action": [
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "PipelineCrossAccountArtifactsKey"
},
{
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::730335647464:role/cdk-hnb659fds-cfn-exec-role-730335647464-ap-south-1",
"Effect": "Allow"
},
{
"Action": [
"cloudformation:DescribeStackEvents",
"cloudformation:GetTemplate",
"cloudformation:DeleteStack",
"cloudformation:UpdateTerminationProtection",
"sts:GetCallerIdentity",
"cloudformation:GetTemplateSummary"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "CliPermissions"
},
{
"Action": [
"s3:GetObject*",
"s3:GetBucket*",
"s3:List*"
],
"Resource": [
"arn:aws:s3:::cdk-hnb659fds-assets-730335647464-ap-south-1",
"arn:aws:s3:::cdk-hnb659fds-assets-730335647464-ap-south-1/*"
],
"Effect": "Allow",
"Sid": "CliStagingBucket"
},
{
"Action": [
"ssm:GetParameter"
],
"Resource": [
"arn:aws:ssm:ap-south-1:730335647464:parameter/cdk-bootstrap/hnb659fds/version"
],
"Effect": "Allow",
"Sid": "ReadVersion"
},
{
"Action": "kms:Decrypt",
"Resource": "arn:aws:kms:ap-south-1:YOUR_ACCOUNT_ID:key/YOUR_KMS_KEY_ID",
"Effect": "Allow",
"Sid": "KMSDecrypt"
}
]
}
Replace YOUR_ACCOUNT_ID and YOUR_KMS_KEY_ID with your AWS account ID and the KMS key ID, respectively.
Relevant content
- asked 8 months ago
- asked 5 years ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
Thank you! Customer managed key policy has bee fixed.