(CodeBuild): Add KMS decrypt to policy for secrets imported by name
See original GitHub issueFollowing up on #14043 and #14226. I was thinking about also allowing the kms:Decrypt
action for secrets that get provided via Token
.
Since we already assume that the value is an Arn, we could parse it and then create an Arn for the kms key with the wildcard and add it to the set of kmsIamResources
.
If this is worth implementing I can create the PR. 😃
Environment
- CDK CLI Version : 1.101.0
- Framework Version: 1.101.0
- Node.js Version: 15.11.0
- OS : MacOS
- Language (Version): all
This is 🐛 Bug Report
Issue Analytics
- State:
- Created 2 years ago
- Comments:9 (8 by maintainers)
Top Results From Across the Web
Data encryption - AWS CodeBuild
You can store the identifier of the AWS KMS key that CodeBuild uses to encrypt the build output artifact in the CODEBUILD_KMS_KEY_ID environment...
Read more >KMS — Boto3 Docs 1.26.36 documentation - Amazon AWS
Adds a grant to a KMS key. A grant is a policy instrument that allows Amazon Web Services principals to use KMS keys...
Read more >AWS secret manager access deny issue - Stack Overflow
The Secret in Account-A needs a "Secret Key Resource Policy" that permits access from Role-B (You have already done this). And it also...
Read more >Securely access AWS Secrets Manager across ... - Tarun Kumar
Approach 2: Using Resource Based Policies ... This approach is different and without the use of AssumeRole or any credentials, secrets can be ......
Read more >Resource: aws_ssm_parameter - hashicorp - Terraform Registry
Encrypted string using default SSM KMS key. resource "aws_db_instance" "default" ... SSM Parameters can be imported using the parameter store name , e.g.,...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Ah, OK. For some reason I thought we granted
kms:Encrypt
, but yeah, that doesn’t make sense 😜.⚠️COMMENT VISIBILITY WARNING⚠️
Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.