Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

aws-codepipeline: Only supports KMS but not KMS_MANAGED

See original GitHub issue

aws-codepipeline fails if I use the CdKPipeline with provisioning its own bucket and with active cross account and KMS_MANAGED. Those lines are the culprit:

   // if we have a cross-account action, the pipeline's bucket must have a KMS key
    // (otherwise we can't configure cross-account trust policies)
    if (action.isCrossAccount) {
      const artifactBucket = this.ensureReplicationResourcesExistFor(action).artifactBucket;
      if (!artifactBucket.encryptionKey) {
        throw new Error(
          `Artifact Bucket must have a KMS Key to add cross-account action '${action.actionProperties.actionName}' ` +
          `(pipeline account: '${renderEnvDimension(this.env.account)}', action account: '${renderEnvDimension(action.effectiveAccount)}'). ` +
          'Create Pipeline with \'crossAccountKeys: true\' (or pass an existing Bucket with a key)',

it states clear the we need to use KMS. But with using the property artifactBucket.encryptionKey you only can validate that you are using KMS with an external key. It doesn’t support KMS_MANAGED this way. The underlying issue is might that the property encryptionKey is null when using KMS_MANAGED.

So I suggest to not letting it be null or changing the if statement + an optional read property for the bucket to get which encryption is used.

I created a draft PR: . If you like it I will continue with it and implement the new encryption property.

Reproduction Steps

const sourceBucket = new s3.Bucket(this, 'PipeBucket', {
      removalPolicy: core.RemovalPolicy.DESTROY,
      autoDeleteObjects: true,
      versioned: true,
      encryption: s3.BucketEncryption.KMS_MANAGED,

    const pipeline = new Pipeline(this, 'Pipeline', {
      artifactBucket: sourceBucket,
      restartExecutionOnUpdate: true,

    const sourceArtifact = new Artifact();
    const cloudAssemblyArtifact = new Artifact();

    const cdkPipeline = new CdkPipeline(this, 'CdkPipeline', {
      // The pipeline name
      // pipelineName: `${this.stackName}-pipeline`,
      codePipeline: pipeline,
      // crossAccountKeys: true,

      // Where the source can be found
      sourceAction: repo,

What did you expect to happen?

No error

What actually happened?

cdk deploy throws “Artifact Bucket must have a KMS Key to add cross-account action …”


  • CDK CLI Version :
  • Framework Version:
  • Node.js Version:
  • OS :
  • Language (Version):


This is 🐛 Bug Report

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Comments:18 (7 by maintainers)

github_iconTop GitHub Comments

QuinnyPigcommented, Oct 6, 2021

So few things make me happy, but this would indeed please me.

skinny85commented, Oct 6, 2021

Sorry, I don’t understand 😜.

You said:

@skinny85 Adding if (build.role) artifactBucket.grantReadWrite(build.role) has fixed it! Thank you for the tip.

But then the code that you have that you said works does not have if (build.role) artifactBucket.grantReadWrite(build.role) anywhere:

const artifactBucket = new s3.Bucket(this, 'CodePipelineArtifactsBucket', {
  encryption: s3.BucketEncryption.KMS_MANAGED, // to prevent creating KMS keys (they cost money)
  removalPolicy: RemovalPolicy.DESTROY,
const build = new codebuild.PipelineProject(this, 'CodeBuildProject', { /* props */ })
  new iam.PolicyStatement({
    effect: iam.Effect.ALLOW,
    actions: ['s3:PutObject*'],
    resources: [artifactBucket.arnForObjects('*')],
new codepipeline.Pipeline(this, 'CodePipeline', {
  // .... other props
  stageName: 'Build',
  actions: [
    new actions.CodeBuildAction({
      actionName: 'CodeBuild',
      project: build,
      input: sourceOutput,
      outputs: [buildOutput],

So… which one is it? 😜

Read more comments on GitHub >

github_iconTop Results From Across the Web

Configure server-side encryption for artifacts stored in Amazon ...
CodePipeline only supports symmetric KMS keys. Do not use an asymmetric KMS key to encrypt the data in your S3 bucket. If you...
Read more >
General integrations with CodePipeline - AWS Documentation
AWS KMS is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your...
Read more >
Data protection in AWS CodePipeline
CodePipeline only supports symmetric KMS keys. Do not use an asymmetric KMS key to encrypt the data in your S3 bucket. Topics.
Read more >
Troubleshooting CodePipeline - AWS Documentation
Problem: The service role for CodePipeline does not have sufficient permissions for AWS Elastic Beanstalk, including, but not limited to, some operations in ......
Read more >
Permissions for the KMS Key - AWS Config
If the IAM role, Amazon S3 bucket policy, or AWS KMS key do not provide appropriate access to AWS Config, then AWS Config's...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found