Hello ! I'm having trouble setting the KMS Key policy via CDK code, here's how I'm dealing with it so far.
First, I create a KMS Key in a stack and then use the "new cdk. CfnOutput" to export the arn of the KMS key.
Then, In another stack use "cdk. Fn.importValue" to import the ARN of the KMS Key, use ”kms.Key.fromKeyArn“ to get the KMS Key object.
Finally, I want to add a key policy to a KMS key by calling the "addToResourcePolicy" method, but after the deployment is completed, I cannot see the added key policy in the AWS KMS console, but there is no error during the deployment.
The CDK uses the language typescript.
The basic invocation process is as follows:
// Stask A
demoKMSKey = new kms.Key(this, 'demoKMSKey', {
alias: `demoKMSKey`,
});
new cdk.CfnOutput(this, 'demoKMSKey-Arn', {
exportName: 'demoKMSKey-Arn',
value: demoKMSKey.keyArn,
});
// Stack B
const demoKMSKey = kms.Key.fromKeyArn(
this,
'demoKMSKey',
cdk.Fn.importValue('demoKMSKey-Arn')
);
demoKMSKey.addToResourcePolicy(
new iam.PolicyStatement({
sid: `demoKMSKeyPolicy`,
effect: iam.Effect.ALLOW,
principals: [new iam.ArnPrincipal(ec2RoleArn)],
actions: ['kms:Encrypt', 'kms:Decrypt', 'kms:ReEncrypt*', 'kms:GenerateDataKey*', 'kms:DescribeKey'],
resources: ['*'],
})
);
Current KMS Key Policy is:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::12345678901234:root"
},
"Action": "kms:*",
"Resource": "*"
}
]
}
Additional Notes:
The user who performs the CDK deployment operation has the kms:* permission on any resources.
AWS 官方已更新 1 年前
After I added the policy object[PolicyDocument], I performed the deployment and got the following error: Resource handler returned message: "Service returned error code MalformedPolicyDocumentException (Service: Kms, Status Code: 400, Request ID: 4b9b)" (RequestToken: bea34c2, HandlerErrorCode: InvalidRequest)
Then I also used the addToResourcePolicy method to add the policy in the stack of creating KMSKey, but I got the same error when deploying.
For the time being, I was able to confirm that it works with the code below. I was able to create code that can be referenced within the same stack.
I haven't been able to confirm this due to lack of time, but it may be possible to reference KMS from another stack using the method described in the document below. https://repost.aws/knowledge-center/cdk-cross-stack-reference
Thanks for you help, I'm going to keep investigating. Could you tell me the permissions of your deployment user? Thanks again.