Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Permissions not added for encrypted SQS queues #555

Closed
NoxHarmonium opened this issue May 13, 2022 · 1 comment
Closed

Permissions not added for encrypted SQS queues #555

NoxHarmonium opened this issue May 13, 2022 · 1 comment
Labels
released

Comments

@NoxHarmonium
Copy link
Collaborator

When you add a key to the SQS queue with kmsMasterKeyId, no permissions are added to the lambda to decrypt the encrypted SQS messages and the messages end up in the DLQ.

When kmsMasterKeyId is set, a kms:Decrypt permission should be added to the lambda function.

See also https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-configure-lambda-function-trigger.html
NoxHarmonium added a commit that referenced this issue May 13, 2022
@NoxHarmonium
fix: improve the handling of encrypted SQS queues (fixes #555)
dd902df 
BREAKING CHANGE: If you have implemented workarounds to allow the lambda to subscribe to an encrypted SQS queue, you may get conflicts as the policy to allow the decryption is now added automatically

- If you provide an key ID, key ARN or reference to a key ARN to the `kmsMasterKeyId` attribute, the relevant 'kms:Decrypt' policy statement should be added automatically to allow the subscription to work correctly
@NoxHarmonium NoxHarmonium mentioned this issue May 13, 2022
Merged
NoxHarmonium pushed a commit that referenced this issue May 13, 2022
@semantic-release-bot
chore(release): 2.0.0 [skip ci]
d99b0c5 
# [2.0.0](v1.0.1...v2.0.0) (2022-05-13)

### Bug Fixes

* fix case sensitivity issue ([42e9675](42e9675))
* improve the handling of encrypted SQS queues (fixes [#555](#555)) ([789ea78](789ea78))

### Features

* upgrade to serverless v3 ([#540](#540)) ([cf842f0](cf842f0))

### BREAKING CHANGES

* If you have implemented workarounds to allow the lambda to subscribe to an encrypted SQS queue, you may get conflicts as the policy to allow the decryption is now added automatically

- If you provide an key ID, key ARN or reference to a key ARN to the `kmsMasterKeyId` attribute, the relevant 'kms:Decrypt' policy statement should be added automatically to allow the subscription to work correctly
* serverless v2 is no longer supported. It might still work, but bug fixes/new features will mostly be developed for and tested with serverless v3 (important security/bug fixes _may_ be back ported to v2 versions depending on the uptake of v3)

serverless v3 is now a peer dependency, you will get warnings if you are on earlier versions
@NoxHarmonium
Copy link
Collaborator Author

🎉 This issue has been resolved in version 2.0.0 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
released
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@NoxHarmonium