Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

KMS-Managed SQS encyption generating invalid IAM policy for Lambda func #2794

Closed
tylerarbus opened this issue Jun 7, 2019 · 1 comment · Fixed by #3169
Closed

KMS-Managed SQS encyption generating invalid IAM policy for Lambda func #2794

tylerarbus opened this issue Jun 7, 2019 · 1 comment · Fixed by #3169
Assignees
@RomainMuller
Labels
@aws-cdk/aws-kms Related to AWS Key Management @aws-cdk/aws-sqs Related to Amazon Simple Queue Service bug This issue is a bug. needs-reproduction This issue needs reproduction. p0

Comments

@tylerarbus
Copy link

Describe the bug

When using KMS-Managed queue encryption for SQS, the CDK is generating an invalid IAM policy when attached as an event source for a lambda function. The following error is generated in CloudFormation:

Resource alias/aws/sqs must be in ARN format or "*". (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument)

The invalid policy statement is being generated for the Lambda function ("Resource" should be an ARN or "*", but is being generated as "alias/aws/sqs"):

            {
              "Action": "kms:Decrypt",
              "Effect": "Allow",
              "Resource": "alias/aws/sqs"
            }

To Reproduce

    // Provision queue and dead letter queue in SQS
    const DLQ = new sqs.Queue(this, 'DeadLetterQueue', {
      encryption: sqs.QueueEncryption.KmsManaged,
    });

    const queue = new sqs.Queue(this, 'Queue', {
      deadLetterQueue: {
        queue: DLQ,
        maxReceiveCount: 3,
      },
      encryption: sqs.QueueEncryption.KmsManaged,
    });

    // Create  lambda function
    const lambda = new lambda.Function(this, 'Lambda', {
      code: lambda.Code.directory('lambda'),
      handler: 'index.lambda_handler',
      runtime: lambda.Runtime.Ruby25,
    });

    // Add SQS as event source to lambda function
    lambda.addEventSource(new lambdaEventSources.SqsEventSource(queue));

Expected behavior
The statement included in the Lambda IAM policy for kms:Decrypt should have a resource with a valid ARN

Version:

  • OS: MacOS 10.14.5
  • Programming Language: Typescript
  • CDK Version: 0.33
@tylerarbus tylerarbus added the bug This issue is a bug. label Jun 7, 2019
@NGL321 NGL321 added the needs-triage This issue or PR still needs to be triaged. label Jun 17, 2019
@NGL321 NGL321 added @aws-cdk/aws-kms Related to AWS Key Management needs-reproduction This issue needs reproduction. @aws-cdk/aws-sqs Related to Amazon Simple Queue Service and removed needs-triage This issue or PR still needs to be triaged. labels Jun 26, 2019
@fulghum fulghum added the p0 label Jun 26, 2019
ScOut3R added a commit to ScOut3R/aws-cdk that referenced this issue Jun 29, 2019
@ScOut3R
fix(sqs) KMS-Managed SQS encryption generate valid IAM Policy for gra…
02ab268 
…ntee (aws#2794)

fixes aws#2794
@ScOut3R ScOut3R mentioned this issue Jun 29, 2019
Closed
ScOut3R added a commit to ScOut3R/aws-cdk that referenced this issue Jun 30, 2019
@ScOut3R
fix(sqs) KMS-Managed SQS encryption generate valid IAM Policy for gra…
74354c0 
…ntee (aws#2794)

fix dependent test case

fixes aws#2794
@RomainMuller RomainMuller self-assigned this Jul 2, 2019
RomainMuller added a commit that referenced this issue Jul 2, 2019
@RomainMuller
fix(sqs): Do not emit grants to the AWS-managed encryption key
348d28f 
Grants on the `alias/aws/sqs` KMS key alias are not necessary since the
key will implicitly allow for it's intended usage to be fulfilled (as
opposed to how you have to manage grants yourself when using a
user-managed key instead).

This removes the statement that was generated using an invalid resource
entry.

Fixes #2794
@RomainMuller RomainMuller mentioned this issue Jul 2, 2019
Merged
@pepastach
Copy link

In case you encounter this problem, here's an example of a workaround:

Instead of simple CDK grant:

queue.grant_send_messages(grantee=fargate_task_definition.task_role)

You have to add a policy statement:

fargate_task_definition.task_role.add_to_policy(
    PolicyStatement(
        effect=Effect.ALLOW,
        actions=['sqs:SendMessage', 'sqs:GetQueueAttributes', 'sqs:GetQueueUrl'],
        resources=[queue.queue_arn]
    )
)
fargate_task_definition.task_role.add_to_policy(
    PolicyStatement(
        effect=Effect.ALLOW,
        actions=['kms:Encrypt', 'kms:GenerateDataKey*', 'kms:ReEncrypt*'],
        resources=[f'arn:aws:kms:{Aws.REGION}:{Aws.ACCOUNT_ID}:alias/aws/sqs']
    )
)

RomainMuller added a commit that referenced this issue Aug 5, 2019
@RomainMuller
fix(sqs): do not emit grants to the AWS-managed encryption key (#3169)
07f017b 
Grants on the `alias/aws/sqs` KMS key alias are not necessary since the
key will implicitly allow for it's intended usage to be fulfilled (as
opposed to how you have to manage grants yourself when using a
user-managed key instead).

This removes the statement that was generated using an invalid resource
entry.

Fixes #2794
eladb pushed a commit that referenced this issue Aug 6, 2019
@RomainMuller
fix(sqs): do not emit grants to the AWS-managed encryption key (#3169)
d2153d9 
Grants on the `alias/aws/sqs` KMS key alias are not necessary since the
key will implicitly allow for it's intended usage to be fulfilled (as
opposed to how you have to manage grants yourself when using a
user-managed key instead).

This removes the statement that was generated using an invalid resource
entry.

Fixes #2794
mergify bot pushed a commit that referenced this issue Aug 7, 2019
@mergify
feat(eks): programmatic definition of kubernetes resources (#3510)
4e11d86 
* chore: update package-lock.json

* feat(eks): define kubernetes resources

This change allows defining arbitrary Kubernetes resources within an EKS cluster.

* nice!

* update readme

* Update README.md

* feat(events): ability to add cross-account targets (#3323)

This adds the capability of adding a target to an event rule
that belongs to a different account than the rule itself.
Required for things like cross-account CodePipelines with source actions triggered by events.

* chore(ci): add mergify config file (#3502)

* chore: update jsii to 0.14.3 (#3513)

* fix(iam): correctly limit the default PolicyName to 128 characters (#3487)

Our logic for trimming the length of the default IAM policy name was not working,
as it wasn't updated when logicalId became a Token rather than a literate string,
and so it was never actually triggered
(it just checked that the display name of the Token was less than 128 characters,
which it always is).
The fix is to resolve the logical ID Token before applying the trimming logic.

Fixes #3402

* v1.3.0 (#3516)

See CHANGELOG

* fix: typo in restapi.ts (#3530)

* feat(ecs): container dependencies (#3032)

Add new addContainerDependencies method to allow for container dependencies
Fixes #2490

* feat(s3-deployment): CloudFront invalidation (#3213)

see #3106

* docs(core): findChild gets direct child only (#3512)

* doc(iam): update references to addManagedPolicy (#3511)

* fix(sqs): do not emit grants to the AWS-managed encryption key (#3169)

Grants on the `alias/aws/sqs` KMS key alias are not necessary since the
key will implicitly allow for it's intended usage to be fulfilled (as
opposed to how you have to manage grants yourself when using a
user-managed key instead).

This removes the statement that was generated using an invalid resource
entry.

Fixes #2794

* fix(lambda): allow ArnPrincipal in grantInvoke (#3501)

Fixes #3264 

I'm trying to allow a lambda function in another account to be able to invoke my CDK generated lambda function. This works through the CLI like so:

    aws lambda add-permission --function-name=myFunction --statement-id=ABoldStatement --action=lambda:InvokeFunction --principal=arn:aws:iam::{account_id}:role/a_lambda_execution_role

But CDK doesn't seem to allow me to add an ArnPrincipal doing something like this:

    myFunction.grantInvoke(new iam.ArnPrincipal(props.myARN))

With the error:

    Invalid principal type for Lambda permission statement: ArnPrincipal. Supported: AccountPrincipal, ServicePrincipal

This PR allows ArnPrincipal to be passed to lambda.grantInvoke.

There might be some additional validation required on the exact ARN as I believe only some ARNs are supported by lambda add-permission

* chore(contrib): remove API stabilization disclaimer

* fix(ssm): add GetParameters action to grantRead() (#3546)

* misc

* rename `KubernetesManifest` to `KubernetesResource` and `addResource`
* move AWS Auth APIs to `cluster.awsAuth` and expose `AwsAuth`
* remove the yaml library (we can just use a JSON stream)
* add support for adding accounts to aws-auth
* fix cluster deletion bug
* move kubctl app info to constants

* addManifest => addResource

* update test expectations

* add unit test for customresrouce.ref

* fix sample link
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@RomainMuller RomainMuller

Labels
@aws-cdk/aws-kms Related to AWS Key Management @aws-cdk/aws-sqs Related to Amazon Simple Queue Service bug This issue is a bug. needs-reproduction This issue needs reproduction. p0
Projects
None yet
Milestone
No milestone
5 participants
@fulghum @RomainMuller @NGL321 @pepastach @tylerarbus