Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

EFS : kmsKey issue when using CMK from another account #7641

Closed
Cloudrage opened this issue Apr 28, 2020 · 3 comments · Fixed by #11524
Closed

EFS : kmsKey issue when using CMK from another account #7641

Cloudrage opened this issue Apr 28, 2020 · 3 comments · Fixed by #11524
Assignees
@shivlaks
Labels
@aws-cdk/aws-efs Related to Amazon Elastic File System bug This issue is a bug. effort/small Small work item – less than a day of effort p2

Comments

@Cloudrage
Copy link

Cloudrage commented Apr 28, 2020
edited
Loading

Bug

Can't create an EFS specifying kmsKey with a CMK created on another account.

When creating & specifying the CMK directly on the account where the EFS is created, it's working.

Reproduction Steps

Here the code used to create the EFS :

    const KmsKey= kms.Key.fromKeyArn(this, 'KmsKey', 'MyKeyArnOrMySsmStringParameterWithMyKeyArn);

    const Efs = new efs.FileSystem(this, 'Efs', {
      vpc: vpc,
      encrypted: true,
      kmsKey: KmsKey,
      performanceMode: efs.PerformanceMode.GENERAL_PURPOSE,
      throughputMode: efs.ThroughputMode.PROVISIONED,
      provisionedThroughputPerSecond: cdk.Size.mebibytes(100),
      securityGroup: SecurityGroupEfs
    });

Error Log

Here the error :
| CREATE_FAILED | AWS::EFS::FileSystem | Efs (EfsHost2659FEA6) The request was rejected because the specified key could not be found. [error=NotFoundException]

Environment

  • CLI Version : aws-cli/1.18.46 Python/3.7.3 / CDK Version: 1.35.0 (build e0810c8)
  • Framework Version: npm 6.14.4
  • Language : TypeScript

Other

The code is the same when created with a CMK from the other account or not.
But when the CMK is const fromKeyArn; it won't work.

This is 🐛 Bug Report
@Cloudrage Cloudrage added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Apr 28, 2020
@SomayaB SomayaB added the @aws-cdk/aws-efs Related to Amazon Elastic File System label Apr 29, 2020
@rix0rrr rix0rrr added the p2 label May 6, 2020
@SomayaB SomayaB removed the needs-triage This issue or PR still needs to be triaged. label May 19, 2020
@rix0rrr
Copy link
Contributor

rix0rrr commented Aug 12, 2020

Is this even possible? Is this not an upstream service problem?

@rix0rrr rix0rrr added the effort/small Small work item – less than a day of effort label Aug 12, 2020
@SomayaB SomayaB assigned shivlaks and unassigned rix0rrr Aug 20, 2020
@Cloudrage
Copy link
Author

Strange indeed; I've test again to Switch from the CMK in the EFS Account and the other CMK from our SecOps Account and the problem still the same :
image

A Synth :

  Efs9E8BF36B:
    Type: AWS::EFS::FileSystem
    Properties:
      Encrypted: true
      KmsKeyId:
        Fn::Select:
          - 1
          - Fn::Split:
              - /
              - Fn::Select:
                  - 5
                  - Fn::Split:
                      - ":"
                      - Ref: KmsKeyEC2ParameterParameter
      PerformanceMode: generalPurpose
      ProvisionedThroughputInMibps: 100
      ThroughputMode: provisioned
    UpdateReplacePolicy: Retain
    DeletionPolicy: Retain

The way to Get the Key :

    const KmsKeyEC2Parameter = ssm.StringParameter.fromStringParameterAttributes(this, 'KmsKeyEC2Parameter', {parameterName: '/cdk/'+AppName+'/kms/ec2Key/arn'}).stringValue;
    const KmsKeyEC2 = kms.Key.fromKeyArn(this, 'KmsKeyEC2', KmsKeyEC2Parameter);

shivlaks added a commit that referenced this issue Nov 17, 2020
@shivlaks
fix(efs): cannot use encryption key imported from another account
b7dcd18 
the `keyId` property supports using the ARN or the key ID.
this change uses the ARN as it's more robust and allows usage of
a key which is cross-account.

It currently fails as the ID is looked up within the same account
and not found.

Closes #7641
@shivlaks shivlaks mentioned this issue Nov 17, 2020
Merged
@mergify mergify bot closed this as completed in #11524 Nov 17, 2020
mergify bot pushed a commit that referenced this issue Nov 17, 2020
@shivlaks
fix(efs): cannot use encryption key imported from another account (#1…
3578d84 
…1524)

the `keyId` property supports using the ARN or the key ID.
this change uses the ARN as it's more robust and allows usage of
a key which is cross-account.

It currently fails as the ID is looked up within the same account
and not found.

Closes #7641

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@shivlaks shivlaks

Labels
@aws-cdk/aws-efs Related to Amazon Elastic File System bug This issue is a bug. effort/small Small work item – less than a day of effort p2
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(efs): cannot use encryption key imported from another account aws/aws-cdk
4 participants
@rix0rrr @SomayaB @Cloudrage @shivlaks