Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(scheduler-alpha): too many KMS permissions granted #31923

Merged
merged 4 commits into from
Oct 28, 2024
Merged

fix(scheduler-alpha): too many KMS permissions granted #31923

merged 4 commits into from
Oct 28, 2024

Conversation

samson-keung
Copy link
Contributor

@samson-keung samson-keung commented Oct 28, 2024
edited
Loading

Issue # (if applicable)

Tracking #31785.

Reason for this change

When customer use a KMS Customer Managed Key (CMK) with the Schedule construct, the following permissions are added to the scheduler execution role:

'kms:Decrypt', 'kms:Encrypt', 'kms:ReEncrypt*', 'kms:GenerateDataKey*'

However, upon testing, having only the kms:Decrypt permission is enough for the Schedule to invoke the target (Lambda Function as a target was used in the test.).

Description of changes

This PR removes the unneeded KMS permissions and updated integ test to verify that the schedule is still able to invoke the target.

Description of how you validated changes

Unit test and integ test.

Checklist

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

BREAKING CHANGE: Extra KMS permissions are removed from Schedule execution role when KMS key is passed to Schedule.

@aws-cdk-automation aws-cdk-automation requested a review from a team October 28, 2024 19:35
@github-actions github-actions bot added the p2 label Oct 28, 2024
@mergify mergify bot added the contribution/core This is a PR that came from AWS. label Oct 28, 2024
samson-keung
samson-keung commented Oct 28, 2024
View reviewed changes
packages/@aws-cdk/aws-scheduler-alpha/test/integ.schedule.ts
import * as scheduler from '../lib';

class SomeLambdaTarget implements scheduler.IScheduleTarget {
public constructor(private readonly fn: lambda.IFunction, private readonly role: iam.IRole) {
class SomeSqsTarget implements scheduler.IScheduleTarget {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Opted to use SQS queue for this test so that we can use ReceiveMessage in the assertions to test the runtime behaviour, without needing to write a Lambda Function.

@aws-cdk-automation aws-cdk-automation added the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Oct 28, 2024
gracelu0
gracelu0 approved these changes Oct 28, 2024
View reviewed changes
Copy link
Contributor

@gracelu0 gracelu0 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, follows Scheduler docs under Execution role permissions for customer managed keys section

@mergify Mergify
Copy link
Contributor

mergify bot commented Oct 28, 2024

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@aws-cdk-automation aws-cdk-automation removed the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Oct 28, 2024
@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: 09f7ad1
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify mergify bot merged commit 06678a3 into aws:main Oct 28, 2024
15 checks passed
@mergify Mergify
Copy link
Contributor

mergify bot commented Oct 28, 2024

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@github-actions GitHub Actions
Copy link

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Oct 28, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@gracelu0 gracelu0 gracelu0 approved these changes

Assignees
No one assigned
Labels
contribution/core This is a PR that came from AWS. p2
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@samson-keung @aws-cdk-automation @gracelu0