[aws-codepipeline] Pipeline does not respect KMS key set on artifact bucket for encrypting artifacts from CodeCommitSourceAction
See original GitHub issueApparently, the aws-codepipeline.Pipeline construct does not respect the KMS key setting of the artifact bucket as described in https://github.com/aws/aws-cdk/issues/10079
Reopening as bug as the issue has been closed without us being able to reproduce the behavior that should happen as described by @skinny85
Reproduction Steps
In dev account:
self.repo = aws_codecommit.Repository(
scope=stack,
id="repo",
repository_name="repo"
)
In tools account (prereqs stack):
key = aws_kms.Key(
self,
id="PipelineKey",
alias="alias/codepipeline-crossaccounts",
enable_key_rotation=True,
policy=key_policy_document,
)
artifact_bucket = aws_s3.Bucket(
self,
id=get_conf_artifact_bucket_name(context=self),
bucket_name=get_conf_artifact_bucket_name(context=self),
encryption=aws_s3.BucketEncryption.KMS,
encryption_key=key,
access_control=aws_s3.BucketAccessControl.BUCKET_OWNER_FULL_CONTROL
)
in tools account (pipeline stack):
artifact_bucket = aws_s3.Bucket.from_bucket_name(
scope=self,
id="artifact-bucket",
bucket_name=get_conf_artifact_bucket_name(context=self)
)
# get_repository_arn is a function that reads the arn of the repo created in the dev account from cdk.json
repo = aws_codecommit.Repository.from_repository_arn(
self,
id="repo",
repository_arn=get_repository_arn(context=self)
)
pipeline = aws_codepipeline.Pipeline(
scope=self,
id="pipeline",
pipeline_name="pipeline",
artifact_bucket=artifact_bucket,
role=pipeline_role
)
source_stage = pipeline.add_stage(stage_name="Source")
source_stage.add_action(
aws_codepipeline_actions.CodeCommitSourceAction(
action_name="CodeCommitSource",
repository=repo,
output=aws_codepipeline.Artifact(
artifact_name="SCCheckoutArtifact"
),
branch="develop",
run_order=1,
role=aws_iam.Role.from_role_arn(
self,
id="cc-role",
role_arn="<codecommit role in dev account>"
),
)
)
What did you expect to happen?
The pipeline respecting the key set on the artifact_bucket (in its own account no less) to encrypt the CodeCommit artifact. As there is no explicit attribute to set an encryption key (in contrast to the possibility in CloudFormation), that was assumed.
What actually happened?
The artifact is encrypted using the default AWS managed KMS key for S3 of the source (dev) account, making it inaccessible for the later steps of the pipeline.
Environment
- CLI Version : aws-cli/2.0.28 Python/3.7.7 Windows/10 botocore/2.0.0dev32
- Framework Version: 1.59.0 (build 1d082f4)
- Node.js Version: v12.18.2
- OS : Windows 10
- Language (Version): Python 3.8.5
Other
We need to use a customer managed KMS key here for security reasons. Giving the tools account privileges to use the AWS managed KMS key for S3 of the dev account is not an option.
This is 🐛 Bug Report
Issue Analytics
- State:
- Created 3 years ago
- Comments:6 (2 by maintainers)
Top GitHub Comments
Right, so that from_bucket_attributes worked, thank you!
For anyone possibly stumbling at the same thing, the gist of it:
When creating a Bucket construct that represents an external bucket (the aws-s3.Bucket.from_… functions) and the encryption key of it is important - use the from_attributes() function have the key as one of the parameters there.
I had the wrong way of thinking here, believing the from_bucket_arn()/from_bucket_name() function would possibly be able to gather that during the synth step. They aren’t.
Do:
This enables the Pipeline construct to set the encryption key of the artifact store to the one of the bucket which will be respected by a CodeCommitSourceAction to any account.
Don’t:
This sets the encryption key of uploaded artifacts to the default AWS managed S3 key of the CodeCommit’s account if using a CodeCommitSourceAction.
Hey @robert-hanuschke ,
the problem is that in the pipeline you’re using this Bucket:
Obviously, that Bucket does not have a Key associated with it.
You have 2 options:
from_bucket_attributes
instead, passing theencryption_key
property to it to indicate that Bucket has an encryption Key.artifact_bucket
from the pre-reqs stacks to your pipeline stack directly (do not usefrom_bucket_*
methods at all).BTW, I would appreciate if you didn’t open multiple GitHub issues for the same problem (just comment in the closed one, and I’ll re-open it if you don’t have that option).
Thanks, Adam