Giter VIP home page Giter VIP logo

Comments (3)

stavros-zavrakas avatar stavros-zavrakas commented on September 22, 2024 1

@vaibhavjain11 did you manage to fix this?

from aws-refarch-cross-account-pipeline.

PolyatomicBrian avatar PolyatomicBrian commented on September 22, 2024 1

Since the Artifact Store (the S3 bucket) is configured to use the CMK as its encryption key, whatever role of the Pipeline's stage that writes to the Artifact Store needs to have access to the CMK. In the case of the GitHub Pipeline Stage, no IAM Role can be attached to this stage, as it defaults to the Code Pipeline's service role. This means the Code Pipeline's service role needs to have access to the CMK.

To fix this issue, in ToolsAcct/pre-reqs.yaml, update the statement of the KMSKey resource's KeyPolicy from:

        Statement:
          -
            Sid: Allows admin of the key
            Effect: Allow
            Principal:
              AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
            Action:
              - "kms:Create*"
              - "kms:Describe*"
              - "kms:Enable*"
              - "kms:List*"
              - "kms:Put*"
              - "kms:Update*"
              - "kms:Revoke*"
              - "kms:Disable*"
              - "kms:Get*"
              - "kms:Delete*"
              - "kms:ScheduleKeyDeletion"
              - "kms:CancelKeyDeletion"
            Resource: "*"
          -
            Sid: Allow use of the key for CryptoGraphy Lambda
            Effect: Allow
            Principal:
              AWS:
                - !Sub arn:aws:iam::${ProductionAccount}:root
                - !Sub arn:aws:iam::${TestAccount}:root
                - !Sub arn:aws:iam::${DevAccount}:root
                - !If
                  - AddCodeBuildResource
                  - !Sub arn:aws:iam::${AWS::AccountId}:role/${ProjectName}-CodeBuildRole
                  - !Ref AWS::NoValue
            Action:
              - kms:Encrypt
              - kms:Decrypt
              - kms:ReEncrypt*
              - kms:GenerateDataKey*
              - kms:DescribeKey
            Resource: "*"

To:

        Statement:
          -
            Sid: Allows admin of the key
            Effect: Allow
            Principal:
              AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
            Action:
              - "kms:Create*"
              - "kms:Describe*"
              - "kms:Enable*"
              - "kms:List*"
              - "kms:Put*"
              - "kms:Update*"
              - "kms:Revoke*"
              - "kms:Disable*"
              - "kms:Get*"
              - "kms:Delete*"
              - "kms:ScheduleKeyDeletion"
              - "kms:CancelKeyDeletion"
            Resource: "*"
          -
            Sid: Allow use of the key for CryptoGraphy Lambda
            Effect: Allow
            Principal:
              AWS:
                - !Sub arn:aws:iam::${ProductionAccount}:root
                - !Sub arn:aws:iam::${TestAccount}:root
                - !Sub arn:aws:iam::${DevAccount}:root
                - !If
                  - AddCodeBuildResource
                  - !Sub arn:aws:iam::${AWS::AccountId}:role/${ProjectName}-CodeBuildRole
                  - !Ref AWS::NoValue
                - !If
                  - AddCodeBuildResource
                  - !Sub arn:aws:iam::${AWS::AccountId}:role/${ProjectName}-codepipeline-role
                  - !Ref AWS::NoValue
            Action:
              - kms:Encrypt
              - kms:Decrypt
              - kms:ReEncrypt*
              - kms:GenerateDataKey*
              - kms:DescribeKey
            Resource: "*"

Where the difference is the inclusion of the CodePipeline's service role.

from aws-refarch-cross-account-pipeline.

JonShilale avatar JonShilale commented on September 22, 2024

I have this same issue and would like to know if there's a fix I'm missing.

from aws-refarch-cross-account-pipeline.

Related Issues (12)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.