By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

IAM Permission issue

0

Hi, During Prepare step in deployment in our pipeline, we are getting the following permission error. Pipeline is part of root account and the stage that we try to deploy is another account. Both is linked in AWS Organizations and IAM Identity Center.

User: arn:aws:sts::730335647464:assumed-role/cdk-hnb659fds-deploy-role-730335647464-ap-south-1/1714469899562 is not authorized to perform: kms:Decrypt 
on the resource associated with this ciphertext because the resource does not exist in this Region, no resource-based policies allow access, or a resource-based policy explicitly 
denies access (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: R5ETGAG98E7SFM4V; S3 Extended Request ID: 
6i0h03zjDJoA+2sytSKLJT3TKCSSiRkTPCvc8/H8a439M6XyeCE36ZCiEfFwF67iqOIfIWH1Td4=; Proxy: null)

Policy attached to --- cdk-hnb659fds-deploy-role-730335647464-ap-south-1

{
"Version": "2012-10-17",
"Statement": [
    {
        "Action": [
            "cloudformation:CreateChangeSet",
            "cloudformation:DeleteChangeSet",
            "cloudformation:DescribeChangeSet",
            "cloudformation:DescribeStacks",
            "cloudformation:ExecuteChangeSet",
            "cloudformation:CreateStack",
            "cloudformation:UpdateStack"
        ],
        "Resource": "*",
        "Effect": "Allow",
        "Sid": "CloudFormationPermissions"
    },
    {
        "Condition": {
            "StringNotEquals": {
                "s3:ResourceAccount": "730335647464"
            }
        },
        "Action": [
            "s3:GetObject*",
            "s3:GetBucket*",
            "s3:List*",
            "s3:Abort*",
            "s3:DeleteObject*",
            "s3:PutObject*"
        ],
        "Resource": "*",
        "Effect": "Allow",
        "Sid": "PipelineCrossAccountArtifactsBucket"
    },
    {
        "Condition": {
            "StringEquals": {
                "kms:ViaService": "s3.ap-south-1.amazonaws.com"
            }
        },
        "Action": [
            "kms:Decrypt",
            "kms:DescribeKey",
            "kms:Encrypt",
            "kms:ReEncrypt*",
            "kms:GenerateDataKey*"
        ],
        "Resource": "*",
        "Effect": "Allow",
        "Sid": "PipelineCrossAccountArtifactsKey"
    },
    {
        "Action": "iam:PassRole",
        "Resource": "arn:aws:iam::730335647464:role/cdk-hnb659fds-cfn-exec-role-730335647464-ap-south-1",
        "Effect": "Allow"
    },
    {
        "Action": [
            "cloudformation:DescribeStackEvents",
            "cloudformation:GetTemplate",
            "cloudformation:DeleteStack",
            "cloudformation:UpdateTerminationProtection",
            "sts:GetCallerIdentity",
            "cloudformation:GetTemplateSummary"
        ],
        "Resource": "*",
        "Effect": "Allow",
        "Sid": "CliPermissions"
    },
    {
        "Action": [
            "s3:GetObject*",
            "s3:GetBucket*",
            "s3:List*"
        ],
        "Resource": [
            "arn:aws:s3:::cdk-hnb659fds-assets-730335647464-ap-south-1",
            "arn:aws:s3:::cdk-hnb659fds-assets-730335647464-ap-south-1/*"
        ],
        "Effect": "Allow",
        "Sid": "CliStagingBucket"
    },
    {
        "Action": [
            "ssm:GetParameter"
        ],
        "Resource": [
            "arn:aws:ssm:ap-south-1:730335647464:parameter/cdk-bootstrap/hnb659fds/version"
        ],
        "Effect": "Allow",
        "Sid": "ReadVersion"
    }
]
}

Trust Relationship:

{
"Version": "2008-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::730335647464:root"
        },
        "Action": "sts:AssumeRole"
    },
    {
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::134514717601:root"
        },
        "Action": "sts:AssumeRole"
    }
]
}
Topics
Developer ToolsSecurity, Identity, & Compliance
Tags
AWS CodePipelineAWS IAM Identity CenterIAM Policies
Language
English
idesk-dev
asked 17 days ago162 views
2 Answers
2
Accepted Answer

Hello.

Check whether the target IAM role is allowed in the key policy of the customer key used for artifact S3 encryption.
Based on the content of the error message, I believe that the operation is probably not allowed by the key policy of the KMS key.
https://docs.aws.amazon.com/codepipeline/latest/userguide/pipelines-create-cross-account.html#pipelines-create-cross-account-create-key

profile picture
EXPERT
Riku_Kobayashi
answered 17 days ago
profile picture
EXPERT
Oleksii Bebych
reviewed 17 days ago
profile picture
EXPERT
Adeleke Adebowale J
reviewed 17 days ago
  • idesk-dev
    17 days ago

    Thank you! Customer managed key policy has bee fixed.

2

It seems like the IAM role cdk-hnb659fds-deploy-role-730335647464-ap-south-1 lacks the necessary permissions to perform the kms:Decrypt action on the resource associated with the ciphertext in the ap-south-1 region. This error typically arises when the IAM policy attached to the role does not grant adequate permissions for the required action.

To resolve this issue: -

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "cloudformation:CreateChangeSet",
                "cloudformation:DeleteChangeSet",
                "cloudformation:DescribeChangeSet",
                "cloudformation:DescribeStacks",
                "cloudformation:ExecuteChangeSet",
                "cloudformation:CreateStack",
                "cloudformation:UpdateStack"
            ],
            "Resource": "*",
            "Effect": "Allow",
            "Sid": "CloudFormationPermissions"
        },
        {
            "Condition": {
                "StringNotEquals": {
                    "s3:ResourceAccount": "730335647464"
                }
            },
            "Action": [
                "s3:GetObject*",
                "s3:GetBucket*",
                "s3:List*",
                "s3:Abort*",
                "s3:DeleteObject*",
                "s3:PutObject*"
            ],
            "Resource": "*",
            "Effect": "Allow",
            "Sid": "PipelineCrossAccountArtifactsBucket"
        },
        {
            "Condition": {
                "StringEquals": {
                    "kms:ViaService": "s3.ap-south-1.amazonaws.com"
                }
            },
            "Action": [
                "kms:Decrypt",
                "kms:DescribeKey",
                "kms:Encrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*"
            ],
            "Resource": "*",
            "Effect": "Allow",
            "Sid": "PipelineCrossAccountArtifactsKey"
        },
        {
            "Action": "iam:PassRole",
            "Resource": "arn:aws:iam::730335647464:role/cdk-hnb659fds-cfn-exec-role-730335647464-ap-south-1",
            "Effect": "Allow"
        },
        {
            "Action": [
                "cloudformation:DescribeStackEvents",
                "cloudformation:GetTemplate",
                "cloudformation:DeleteStack",
                "cloudformation:UpdateTerminationProtection",
                "sts:GetCallerIdentity",
                "cloudformation:GetTemplateSummary"
            ],
            "Resource": "*",
            "Effect": "Allow",
            "Sid": "CliPermissions"
        },
        {
            "Action": [
                "s3:GetObject*",
                "s3:GetBucket*",
                "s3:List*"
            ],
            "Resource": [
                "arn:aws:s3:::cdk-hnb659fds-assets-730335647464-ap-south-1",
                "arn:aws:s3:::cdk-hnb659fds-assets-730335647464-ap-south-1/*"
            ],
            "Effect": "Allow",
            "Sid": "CliStagingBucket"
        },
        {
            "Action": [
                "ssm:GetParameter"
            ],
            "Resource": [
                "arn:aws:ssm:ap-south-1:730335647464:parameter/cdk-bootstrap/hnb659fds/version"
            ],
            "Effect": "Allow",
            "Sid": "ReadVersion"
        },
        {
            "Action": "kms:Decrypt",
            "Resource": "arn:aws:kms:ap-south-1:YOUR_ACCOUNT_ID:key/YOUR_KMS_KEY_ID",
            "Effect": "Allow",
            "Sid": "KMSDecrypt"
        }
    ]
}

Replace YOUR_ACCOUNT_ID and YOUR_KMS_KEY_ID with your AWS account ID and the KMS key ID, respectively.

profile picture
kranthi putti
answered 17 days ago
profile picture
EXPERT
Adeleke Adebowale J
reviewed 17 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content