Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[aws-codepipeline] Pipeline does not respect KMS key set on artifact bucket for encrypting artifacts from CodeCommitSourceAction

See original GitHub issue

Apparently, the aws-codepipeline.Pipeline construct does not respect the KMS key setting of the artifact bucket as described in https://github.com/aws/aws-cdk/issues/10079

Reopening as bug as the issue has been closed without us being able to reproduce the behavior that should happen as described by @skinny85

Reproduction Steps

In dev account:

       self.repo = aws_codecommit.Repository(
            scope=stack,
            id="repo",
            repository_name="repo"
        )

In tools account (prereqs stack):

       key = aws_kms.Key(
            self,
            id="PipelineKey",
            alias="alias/codepipeline-crossaccounts",
            enable_key_rotation=True,
            policy=key_policy_document,
        )

        artifact_bucket = aws_s3.Bucket(
            self,
            id=get_conf_artifact_bucket_name(context=self),
            bucket_name=get_conf_artifact_bucket_name(context=self),
            encryption=aws_s3.BucketEncryption.KMS,
            encryption_key=key,
            access_control=aws_s3.BucketAccessControl.BUCKET_OWNER_FULL_CONTROL
        )

in tools account (pipeline stack):

       artifact_bucket = aws_s3.Bucket.from_bucket_name(
            scope=self,
            id="artifact-bucket",
            bucket_name=get_conf_artifact_bucket_name(context=self)
        )

        # get_repository_arn is a function that reads the arn of the repo created in the dev account from cdk.json
        repo = aws_codecommit.Repository.from_repository_arn(
            self,
            id="repo",
            repository_arn=get_repository_arn(context=self)
        )

        pipeline = aws_codepipeline.Pipeline(
            scope=self,
            id="pipeline",
            pipeline_name="pipeline",
            artifact_bucket=artifact_bucket,
            role=pipeline_role
        )

        source_stage = pipeline.add_stage(stage_name="Source")

        source_stage.add_action(
            aws_codepipeline_actions.CodeCommitSourceAction(
                action_name="CodeCommitSource",
                repository=repo,
                output=aws_codepipeline.Artifact(
                    artifact_name="SCCheckoutArtifact"
                ),
                branch="develop",
                run_order=1,
                role=aws_iam.Role.from_role_arn(
                    self,
                    id="cc-role",
                    role_arn="<codecommit role in dev account>"
                ),
            )
        )

What did you expect to happen?

The pipeline respecting the key set on the artifact_bucket (in its own account no less) to encrypt the CodeCommit artifact. As there is no explicit attribute to set an encryption key (in contrast to the possibility in CloudFormation), that was assumed.

What actually happened?

The artifact is encrypted using the default AWS managed KMS key for S3 of the source (dev) account, making it inaccessible for the later steps of the pipeline.

Environment

  • CLI Version : aws-cli/2.0.28 Python/3.7.7 Windows/10 botocore/2.0.0dev32
  • Framework Version: 1.59.0 (build 1d082f4)
  • Node.js Version: v12.18.2
  • OS : Windows 10
  • Language (Version): Python 3.8.5

Other

We need to use a customer managed KMS key here for security reasons. Giving the tools account privileges to use the AWS managed KMS key for S3 of the dev account is not an option.

This is 🐛 Bug Report

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Comments:6 (2 by maintainers)

github_iconTop GitHub Comments

1reaction
robert-hanuschkecommented, Sep 1, 2020

Right, so that from_bucket_attributes worked, thank you!

For anyone possibly stumbling at the same thing, the gist of it:

When creating a Bucket construct that represents an external bucket (the aws-s3.Bucket.from_… functions) and the encryption key of it is important - use the from_attributes() function have the key as one of the parameters there.

I had the wrong way of thinking here, believing the from_bucket_arn()/from_bucket_name() function would possibly be able to gather that during the synth step. They aren’t.

Do:

        pipeline = aws_codepipeline.Pipeline(
            ...
            artifact_bucket=aws_s3.Bucket.from_bucket_attributes(
                scope=self,
                id="artifact-bucket-pipeline-test",
                bucket_arn=bucket_arn,,
                encryption_key=key
            )
        )

This enables the Pipeline construct to set the encryption key of the artifact store to the one of the bucket which will be respected by a CodeCommitSourceAction to any account.

Don’t:

        pipeline = aws_codepipeline.Pipeline(
            ...
            artifact_bucket=aws_s3.Bucket.from_bucket_arn()
            # also don't: artifact_bucket=aws_s3.Bucket.from_bucket_name()
        )

This sets the encryption key of uploaded artifacts to the default AWS managed S3 key of the CodeCommit’s account if using a CodeCommitSourceAction.

1reaction
skinny85commented, Sep 1, 2020

Hey @robert-hanuschke ,

the problem is that in the pipeline you’re using this Bucket:

       artifact_bucket = aws_s3.Bucket.from_bucket_name(
            scope=self,
            id="artifact-bucket",
            bucket_name=get_conf_artifact_bucket_name(context=self)
        )

Obviously, that Bucket does not have a Key associated with it.

You have 2 options:

  1. Use from_bucket_attributes instead, passing the encryption_key property to it to indicate that Bucket has an encryption Key.
  2. Recommended: pass artifact_bucket from the pre-reqs stacks to your pipeline stack directly (do not use from_bucket_* methods at all).

BTW, I would appreciate if you didn’t open multiple GitHub issues for the same problem (just comment in the closed one, and I’ll re-open it if you don’t have that option).

Thanks, Adam

Read more comments on GitHub >

github_iconTop Results From Across the Web

Configure server-side encryption for artifacts stored in Amazon ...
Describes how CodePipeline interacts with AWS KMS to encrypt artifacts as they are put into and retrieved from the S3 bucket where your...
Read more >
aws-cdk/aws-codepipeline module - AWS Documentation
Be aware that in the default configuration, the Pipeline construct creates an AWS Key Management Service (AWS KMS) Customer Master Key (CMK) for...
Read more >
Troubleshooting CodePipeline - AWS Documentation
Problem: The download of an artifact stored in an Amazon S3 bucket will fail if the pipeline and bucket are created in different...
Read more >
PipelineProps — AWS Cloud Development Kit 1.181.1 ...
The S3 bucket used by this Pipeline to store artifacts. ... Create KMS keys for cross-account deployments. This controls whether the pipeline is...
Read more >
CodePipeline::Pipeline EncryptionKey - AWS CloudFormation
Represents information about the key used to encrypt data in the artifact store, such as an AWS Key Management Service (AWS KMS) key....
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

[apigateway] Ability to specify custom cloudwatch role

Next page

[aws-codepipeline-actions] Cannot assume role by code pipeline on code pipeline action AWS CDK