(@aws-cdk/aws-codepipeline-actions): Not able to deploy to s3 bucket with KMS encryption

I have a pipeline the finnal step is to move the outcome into an existing s3 bucket, created in another stack.

const publishBucket = s3.Bucket.fromBucketName(
                this,
                'PublishBucket',
                serviceBundleBucket
            );
       const publishAction = new codepipeline_actions.S3DeployAction({
            actionName: 'Publish',
            bucket: targetBucket,
            objectKey: bucketKey,
            input: this.outputArtifact,
            extract: false,
        });

The target bucket is

1. created from another stack

2. encrypted with KMS custom key, with rotation enabled.

It works with encryption with S3_managed, but not KMS.

Also tested, it works with KMS key if the bucket is created in the same stack.

Reproduction Steps

1. create a pipeline
2. look up a s3 bucket (encrypted with KMS key, created outside the stack)
3. add final action to deploy to a s3 bucket
4. deploy failed with error

You do not have sufficient permissions to call s3.putObject for the deployment bucket, ags.pes.opa.bundle-personal-test.split-stack. Verify that the policy on the resource allows you to perform this task. If you choose a canned ACL for your Amazon S3 deployment action, the policy must include the PutObjectAcl action. If the object already exists, the policy must also include the PutObjectVersionAcl action. Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: P963NYR7SFEKP4PD; S3 Extended Request ID: /1iwx2GLmjA3PUgaKmiqEEd5msttkjXzeJkdhRHe/ASiQibEmPeO5OaYt4vosmYDg9CHip7/Sqs=; Proxy: null)

What did you expect to happen?

deploy success

What actually happened?

deploy failed at the S3DeployAction

Environment

• **CDK CLI Version : 1.93.0
• **Framework Version:1.93.0
• **Node.js Version:v12.18.3
• **OS :mac 14.0
• **Language (Version): ts 4.1.x

Other

This is 🐛 Bug Report