Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

(aws-sns): grantPublish should also grant permission to decrypt master key

See original GitHub issue

What is the problem?

When calling grantPublish on topic method should add permissions to decrypt master key in order to properly send messages.

Reproduction Steps

from aws_cdk import (
    aws_sns as sns,
    aws_kms as kms,
    aws_iam as iam,
    core as cdk,
)


class Test(cdk.Stack):

    def __init__(self, scope: cdk.Construct, construct_id: str) -> None:
        super().__init__(scope, construct_id)

        key = kms.Key(self, 'Key')
        topic = sns.Topic(self, 'Topic', master_key=key)
        topic.grant_publish(
            iam.Role(self, 'Role', assumed_by=iam.ServicePrincipal('ec2'))
        )

app = cdk.App()
Test(app, 'BUG')
app.synth()

What did you expect to happen?

RoleDefaultPolicy5FFB7DAB is generated with enty allowing to encrypt published message.

  RoleDefaultPolicy5FFB7DAB:
    Type: AWS::IAM::Policy
    Properties:
      PolicyDocument:
        Statement:
          - Action: sns:Publish
            Effect: Allow
            Resource:
              Ref: TopicBFC7AF6E
          - Action:
              - kms:Encrypt
              - kms:ReEncrypt*
              - kms:GenerateDataKey*
            Effect: Allow
            Resource:
              Fn::GetAtt:
                - Key961B73FD
                - Arn
        Version: "2012-10-17"
      PolicyName: RoleDefaultPolicy5FFB7DAB
      Roles:
        - Ref: Role1ABCC5F0
    Metadata:
      aws:cdk:path: BUG/Role/DefaultPolicy/Resource

What actually happened?

RoleDefaultPolicy5FFB7DAB contains a permission to publish messages to topic but that’s about it.

  RoleDefaultPolicy5FFB7DAB:
    Type: AWS::IAM::Policy
    Properties:
      PolicyDocument:
        Statement:
          - Action: sns:Publish
            Effect: Allow
            Resource:
              Ref: TopicBFC7AF6E
        Version: "2012-10-17"
      PolicyName: RoleDefaultPolicy5FFB7DAB
      Roles:
        - Ref: Role1ABCC5F0
    Metadata:
      aws:cdk:path: BUG/Role/DefaultPolicy/Resource

CDK CLI Version

1.138.0

Framework Version

No response

Node.js Version

14.17.5

OS

MacOs BigSur

Language

Python

Language Version

3.10.1

Other information

It might not be easy to implement this because grantPublish is defined at TopicBase that does not contain reference to masterKey. Question is, can we retrieve such information for TopicBase or for topics that are being imported.

Issue Analytics

State:
Created 2 years ago
Comments:8 (7 by maintainers)

Top GitHub Comments

2reactions

AdamVDcommented, Feb 12, 2022

I’m going to take a shot at implementing a fix for this, but I just did a bit of research/testing and wanted to offer a correction. The set of permissions required to publish is not [kms:Encrypt, kms:ReEncrypt*, kms:GenerateDataKey*] which are included in kms.grantEncrypt(), but rather [kms:Decrypt, kms:GenerateDataKey*]. You can find this in the SNS docs.

I was able to verify this by assuming the role created by the following CDK code:

const role = new Role(this, 'SnsPubRole', {
  assumedBy: new AccountPrincipal(Stack.of(this).account),
});

const key = new Key(this, 'CustomKey');

const topic = new Topic(this, 'MyTopic', {
  topicName: 'mytopic',
  masterKey: key,
});

topic.grantPublish(role);
key.grant(role, 'kms:Decrypt', 'kms:GenerateDataKey*');

and then publishing a message from the CLI: aws sns publish --message "hello" --topic-arn arn:aws:sns:<region>:<account_id>:mytopic.

1reaction

ghdoergelohcommented, Sep 2, 2022

Problem is still there, sorry for the duplication #21892

Top Results From Across the Web

Permissions to Use User-Generated KMS Master Keys

You can manage permissions for KMS keys using IAM policies. ... Your Kinesis stream consumers must have the kms:Decrypt permission.

AWS: Encrypted SQS with SNS Subscription using KMS

Subscribe Amazon SQS to Amazon SNS and use AWS Key Management ... With the granted permission, the queue can be subscribed to the...

Any CDK examples how to allow a lambda to publish to an ...

KMSAccessDenied: The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not...

Ensure AWS SNS topic has SSE enabled - Documentation

Amazon SNS is a publishers and subscribers messaging service. When you publish messages to encrypted topics, customer master keys (CMK), powered by AWS...

SNS Topic Encrypted With KMS Customer Master Keys

When you use your own AWS KMS Customer Master Keys (CMKs) to ... have full control over who can use the encryption keys...