(aws-sns): grantPublish should also grant permission to decrypt master key
See original GitHub issueWhat is the problem?
When calling grantPublish
on topic method should add permissions to decrypt master key in order to properly send messages.
Reproduction Steps
from aws_cdk import (
aws_sns as sns,
aws_kms as kms,
aws_iam as iam,
core as cdk,
)
class Test(cdk.Stack):
def __init__(self, scope: cdk.Construct, construct_id: str) -> None:
super().__init__(scope, construct_id)
key = kms.Key(self, 'Key')
topic = sns.Topic(self, 'Topic', master_key=key)
topic.grant_publish(
iam.Role(self, 'Role', assumed_by=iam.ServicePrincipal('ec2'))
)
app = cdk.App()
Test(app, 'BUG')
app.synth()
What did you expect to happen?
RoleDefaultPolicy5FFB7DAB
is generated with enty allowing to encrypt published message.
RoleDefaultPolicy5FFB7DAB:
Type: AWS::IAM::Policy
Properties:
PolicyDocument:
Statement:
- Action: sns:Publish
Effect: Allow
Resource:
Ref: TopicBFC7AF6E
- Action:
- kms:Encrypt
- kms:ReEncrypt*
- kms:GenerateDataKey*
Effect: Allow
Resource:
Fn::GetAtt:
- Key961B73FD
- Arn
Version: "2012-10-17"
PolicyName: RoleDefaultPolicy5FFB7DAB
Roles:
- Ref: Role1ABCC5F0
Metadata:
aws:cdk:path: BUG/Role/DefaultPolicy/Resource
What actually happened?
RoleDefaultPolicy5FFB7DAB
contains a permission to publish messages to topic but that’s about it.
RoleDefaultPolicy5FFB7DAB:
Type: AWS::IAM::Policy
Properties:
PolicyDocument:
Statement:
- Action: sns:Publish
Effect: Allow
Resource:
Ref: TopicBFC7AF6E
Version: "2012-10-17"
PolicyName: RoleDefaultPolicy5FFB7DAB
Roles:
- Ref: Role1ABCC5F0
Metadata:
aws:cdk:path: BUG/Role/DefaultPolicy/Resource
CDK CLI Version
1.138.0
Framework Version
No response
Node.js Version
14.17.5
OS
MacOs BigSur
Language
Python
Language Version
3.10.1
Other information
It might not be easy to implement this because grantPublish
is defined at TopicBase
that does not contain reference to masterKey
. Question is, can we retrieve such information for TopicBase
or for topics that are being imported.
Issue Analytics
- State:
- Created 2 years ago
- Comments:8 (7 by maintainers)
Top Results From Across the Web
Permissions to Use User-Generated KMS Master Keys
You can manage permissions for KMS keys using IAM policies. ... Your Kinesis stream consumers must have the kms:Decrypt permission.
Read more >AWS: Encrypted SQS with SNS Subscription using KMS
Subscribe Amazon SQS to Amazon SNS and use AWS Key Management ... With the granted permission, the queue can be subscribed to the...
Read more >Any CDK examples how to allow a lambda to publish to an ...
KMSAccessDenied: The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not...
Read more >Ensure AWS SNS topic has SSE enabled - Documentation
Amazon SNS is a publishers and subscribers messaging service. When you publish messages to encrypted topics, customer master keys (CMK), powered by AWS...
Read more >SNS Topic Encrypted With KMS Customer Master Keys
When you use your own AWS KMS Customer Master Keys (CMKs) to ... have full control over who can use the encryption keys...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
I’m going to take a shot at implementing a fix for this, but I just did a bit of research/testing and wanted to offer a correction. The set of permissions required to publish is not [kms:Encrypt, kms:ReEncrypt*, kms:GenerateDataKey*] which are included in
kms.grantEncrypt()
, but rather [kms:Decrypt, kms:GenerateDataKey*]. You can find this in the SNS docs.I was able to verify this by assuming the role created by the following CDK code:
and then publishing a message from the CLI:
aws sns publish --message "hello" --topic-arn arn:aws:sns:<region>:<account_id>:mytopic
.Problem is still there, sorry for the duplication #21892