-
Notifications
You must be signed in to change notification settings - Fork 18
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Permissions not added for encrypted SQS queues #555
Labels
Comments
NoxHarmonium
added a commit
that referenced
this issue
May 13, 2022
BREAKING CHANGE: If you have implemented workarounds to allow the lambda to subscribe to an encrypted SQS queue, you may get conflicts as the policy to allow the decryption is now added automatically - If you provide an key ID, key ARN or reference to a key ARN to the `kmsMasterKeyId` attribute, the relevant 'kms:Decrypt' policy statement should be added automatically to allow the subscription to work correctly
Merged
NoxHarmonium
pushed a commit
that referenced
this issue
May 13, 2022
# [2.0.0](v1.0.1...v2.0.0) (2022-05-13) ### Bug Fixes * fix case sensitivity issue ([42e9675](42e9675)) * improve the handling of encrypted SQS queues (fixes [#555](#555)) ([789ea78](789ea78)) ### Features * upgrade to serverless v3 ([#540](#540)) ([cf842f0](cf842f0)) ### BREAKING CHANGES * If you have implemented workarounds to allow the lambda to subscribe to an encrypted SQS queue, you may get conflicts as the policy to allow the decryption is now added automatically - If you provide an key ID, key ARN or reference to a key ARN to the `kmsMasterKeyId` attribute, the relevant 'kms:Decrypt' policy statement should be added automatically to allow the subscription to work correctly * serverless v2 is no longer supported. It might still work, but bug fixes/new features will mostly be developed for and tested with serverless v3 (important security/bug fixes _may_ be back ported to v2 versions depending on the uptake of v3) serverless v3 is now a peer dependency, you will get warnings if you are on earlier versions
🎉 This issue has been resolved in version 2.0.0 🎉 The release is available on: Your semantic-release bot 📦🚀 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When you add a key to the SQS queue with
kmsMasterKeyId
, no permissions are added to the lambda to decrypt the encrypted SQS messages and the messages end up in the DLQ.When
kmsMasterKeyId
is set, akms:Decrypt
permission should be added to the lambda function.See also https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-configure-lambda-function-trigger.html
The text was updated successfully, but these errors were encountered: