Artifact bucket must have a KMS Key to add cross-account action 'Read_Version_From_S3' (pipeline account: A, action account: B). Create Pipeline with 'crossAccountKeys: true' (or pass an existing Bucket with a key)
See original GitHub issueWhen trying to run unit tests I am getting the following error:. Artifact Bucket must have a KMS Key to add cross-account action ‘Read_Version_From_S3’ (pipeline account: A, action account: B). Create Pipeline with ‘crossAccountKeys: true’ (or pass an existing Bucket with a key)
I am attempting to bump the cdk version from 1.66 to 1.77. After further investigations I have found that we are not able to import the bucket with the kms key.
Reproduction Steps
Upgrade cdk from 1.66 to 1.77. I have added crossAccountKeys: false
as we are creating our own bucket in a separate stack.
const triggerBucket: IBucket = Bucket.fromBucketName(this, "triggerBucketName", triggerBucketName);
// const triggerBucketFromBucketAttributes: IBucket = Bucket.fromBucketAttributes(this, "triggerBucket", {
// bucketName: triggerBucketName,
// });
// const triggerBucketFromBucketArn: IBucket = Bucket.fromBucketArn(this, "triggerBucket", `arn:aws:s3:::${triggerBucketName}`);
console.log(JSON.stringify(triggerBucket.encryptionKey));
new Pipeline(this, `${cdkNamespace}${pipelineName}`, {
stages: [
sourceStage,
infraDeployStage,
appBuildStage,
],
pipelineName: `${cdkNamespace}${pipelineName}`,
artifactBucket: triggerBucket,
role: codeBuildProjectRole
});
What did you expect to happen?
No breaking changes.
What actually happened?
Artifact bucket must have a KMS Key to add cross-account action 'Read_Version_From_S3' (pipeline account: A, action account: B). Create Pipeline with 'crossAccountKeys: true' (or pass an existing Bucket with a key)
> 25 | new CreatePipelineConstruct(this,
| ^
26 | 'CreatePipelineConstruct',
27 | pipelineConfig,
28 | pipelineName,
at Pipeline.getRoleFromActionPropsOrGenerateIfCrossAccount (node_modules/cdk-common/node_modules/@aws-cdk/aws-codepipeline/lib/pipeline.ts:600:15)
at Pipeline.getRoleForAction (node_modules/cdk-common/node_modules/@aws-cdk/aws-codepipeline/lib/pipeline.ts:572:27)
at Pipeline._attachActionToPipeline (node_modules/cdk-common/node_modules/@aws-cdk/aws-codepipeline/lib/pipeline.ts:403:29)
at Stage.attachActionToPipeline (node_modules/cdk-common/node_modules/@aws-cdk/aws-codepipeline/lib/private/stage.ts:141:27)
at Stage.addAction (node_modules/cdk-common/node_modules/@aws-cdk/aws-codepipeline/lib/private/stage.ts:91:29)
at new Stage (node_modules/cdk-common/node_modules/@aws-cdk/aws-codepipeline/lib/private/stage.ts:38:12)
at Pipeline.addStage (node_modules/cdk-common/node_modules/@aws-cdk/aws-codepipeline/lib/pipeline.ts:332:19)
at new Pipeline (node_modules/cdk-common/node_modules/@aws-cdk/aws-codepipeline/lib/pipeline.ts:316:12)
at new CreatePipelineConstruct (node_modules/cdk-common/lib/constructs/pipelines/CreatePipelineConstruct.ts:519:7)
at new PipelineStack (bin/pipelines/PipelineStack.ts:25:5)
at Object.<anonymous> (test/unit/pipelines/CreatePipelineConstruct.test.ts:26:15)
Environment
- CDK CLI Version : 1.77.0
- Framework Version:
- Node.js Version: 14.3.0
- OS : OS Mojave
- Language (Version): TypeScript (3.9.5)
Other
This is 🐛 Bug Report
Issue Analytics
- State:
- Created 3 years ago
- Comments:5 (3 by maintainers)
Top Results From Across the Web
Deploy artifacts to Amazon S3 in different accounts using ...
Create an AWS KMS key to use with CodePipeline in the development account. Important: You must use the AWS Key Management Service (AWS...
Read more >Provisioning AWS KMS-Encrypted Buckets with Cross ...
An S3 bucket, s3://account-a-bucket, is to be created in account-a and made accessible to an external AWS account, account-b; A new KMS-CMK key...
Read more >AWS CodePipeline - Artifacts, Encryption, S3 Introduction
Learn about AWS CodePipeline, Artifacts, Encryption, and S3 !If you want to learn more: ...
Read more >Automating cross-account CI/CD pipelines [REPEAT] - YouTube
Also explore a real -world customer use case that is deploying at scale across hundreds of AWS accounts. Learn more about re:Invent 2021...
Read more >Build a Cross-Account Continuous Delivery Pipeline Using ...
In this video, you'll see an example of how to build a cross - account continuous delivery pipeline using AWS CodePipeline.
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Yes, because you’re not passing the Key in your code 🙂
I had the same error message and including an imported key did the trick. Thanks @skinny85!