-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(pipelines): cross-region/cross-account key permissions are wrong #10222
Conversation
In #8280 we made a resource's account/region distinct from the stack in which the construct was defined, to account for accounts and regions from imported resources. The pipelines module used to define imported roles in a separate in-memory Stack so that the old, broken "cross-environment" logic would do the right thing. That crutch was removed as part of #8280. The new logic hasn't been carried through everywhere though. For example, the logic in the grants of KMS keys had not been updated to match, leading to cross-account/cross-region deployments being broken (as reported in #10166) because the cross-region support stack's KMS key had the wrong permissions. In fact, it switched from: ``` { "Action": [ "kms:Decrypt", "kms:DescribeKey" ], "Principal": { "AWS": { "Fn::Sub": "arn:${AWS::Partition}:iam::561462023695:role/cdk-hnb659fds-deploy-role-561462023695-us-east-2" } }, "Resource": "*" } ``` to ``` { "Action": [ "kms:Decrypt", "kms:DescribeKey" ], "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::355421412380:root" ] ] } }, "Resource": "*" } ``` Ignoring the switch from `Fn::Sub` to `Fn::Join`, it switched from the `deploy-role` in a DIFFERENT account to the root principal of the SAME account.
This issue is not fixed yet! I added a test that shows the brokenness (which should have been there before but wasn't :( ), but I haven't been able to trace the problem to its source yet. It seems like it might have something to do with the aws-cdk/packages/@aws-cdk/aws-codepipeline-actions/lib/cloudformation/pipeline-actions.ts Lines 87 to 92 in 118dbfb
Or with the logic in Also principals don't really have a region, so I could refactor the one method but not the other :/ |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
@rix0rrr I've worked on this problem today, and it's quite a hairy one. I believe the issue is in the Basically, the deploy Role is imported into the Pipeline Stack scope, while the replication Key is in a support Stack. Of course, the Pipeline Stack depends on the replication Stack. So, that method triggers, changing the principal from the Role ARN to the account's root. However, this is incorrect of course, because in this case, the grantee is an imported Role, not a new one, so there's no need to trigger this logic (the principal, the bootstrap deploy role, will exist when the Key policy is updated). I was aware of that problem before, but it seems like we have reached critical mass, and need to solve it now. The question is how? Do we need a concept of an "imported" Resource, that we can check for in |
Sooo... hmm. I don't think we need a generic concept of imported resources. It's only really about whether the principal is imported or not. Ultimately it's about the principal of the grantee (not the grantee itself). If principal had a A cheaper, hackier way is to make something like |
Isn't that a very weird API though? Why would imported Roles have And of course, it will actually be |
Well... isn't that the point? Because an imported role is not defining the resource? (The term defining here being the one that Elad favors, substitute creating if "defining" means something else to you--I personally agree with him that defining is a fine term for this and it has precedent in for example C's distinction between declaring and defining) Do you have a better name or idea? The simpler change is probably type-checking the |
I have shipped that other one but I can't help but think there's more left to do. While investigating this I saw that much of the code of KMS still uses Don't you think we should fix those up while we're at it? |
Sure. Do you know of the specific cases when the behavior is incorrect? |
No, but a grep should cover a bunch? |
Sorry, I don't follow. A |
In #8280 we made a resource's account/region distinct
from the stack in which the construct was defined, to account for
accounts and regions from imported resources.
The pipelines module used to define imported roles in a separate
in-memory Stack so that the old, broken "cross-environment" logic
would do the right thing. That crutch was removed as part of #8280.
The new logic hasn't been carried through everywhere though. For
example, the logic in the grants of KMS keys had not been updated
to match, leading to cross-account/cross-region deployments
being broken (as reported in #10166) because the cross-region support
stack's KMS key had the wrong permissions.
In fact, it switched from:
to
Ignoring the switch from
Fn::Sub
toFn::Join
, it switched from thedeploy-role
in a DIFFERENT account to the root principal of the SAMEaccount.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license