Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

KMS keys do not inherit tags from parent stack #6102

Closed
mattchrist opened this issue Feb 4, 2020 · 1 comment · Fixed by #6125
Closed

KMS keys do not inherit tags from parent stack #6102

mattchrist opened this issue Feb 4, 2020 · 1 comment · Fixed by #6125
Assignees
@skinny85
Labels
@aws-cdk/aws-kms Related to AWS Key Management bug This issue is a bug. in-progress This issue is being actively worked on. p1

Comments

@mattchrist
Copy link
Contributor

When creating a KMS key in a stack with tags, the key does not get tagged with the stack's tags.

Reproduction Steps

This stack:

import { App, Stack } from "@aws-cdk/core";
import { Key } from "@aws-cdk/aws-kms";

const app = new App();
const stack = new Stack(app, "keyTagTest", {
  tags: {
    tagName: "tagValue"
  }
});
const key = new Key(stack, "key");

Should create a key with a tag on the kms key, but no tags are present on the kms key.

The created key does not have permissions to kms:TagResource or kms:UntagResource, so tagging is not possible.

Error Log

key (keyFEDD6EC0) Did not have IAM permissions to process tags on AWS::KMS::Key resource.
cdk deploy output:

keyTagTest: deploying...
keyTagTest: creating CloudFormation changeset...
 0/3 | 1:25:30 PM | CREATE_IN_PROGRESS   | AWS::KMS::Key      | key (keyFEDD6EC0) 
 0/3 | 1:25:30 PM | CREATE_IN_PROGRESS   | AWS::CDK::Metadata | CDKMetadata 
 0/3 | 1:25:30 PM | CREATE_IN_PROGRESS   | AWS::KMS::Key      | key (keyFEDD6EC0) Resource creation Initiated
 0/3 | 1:25:32 PM | CREATE_IN_PROGRESS   | AWS::CDK::Metadata | CDKMetadata Resource creation Initiated
 1/3 | 1:25:33 PM | CREATE_COMPLETE      | AWS::CDK::Metadata | CDKMetadata 
1/3 Currently in progress: keyFEDD6EC0
 1/3 | 1:26:31 PM | UPDATE_IN_PROGRESS   | AWS::KMS::Key      | key (keyFEDD6EC0) Did not have IAM permissions to process tags on AWS::KMS::Key resource.
 2/3 | 1:26:31 PM | CREATE_COMPLETE      | AWS::KMS::Key      | key (keyFEDD6EC0) 
 3/3 | 1:26:33 PM | CREATE_COMPLETE      | AWS::CloudFormation::Stack | keyTagTest 
 ✅  keyTagTest

Environment

  • CLI Version :1.22.0
  • Framework Version:1.22.0
  • OS :MacOS 10.14.4
  • Language :Typescript

Other

Adding kms:TagResource and kms:UntagResource to default IAM policy for kms keys should resolve this issue. Adding TagResource and UntagResource to when creating the key allow tags to be created on the key.

  const key = new Key(stack, "key", {
    policy: new IAM.PolicyDocument({
      statements: [
        new IAM.PolicyStatement({
          resources: ["*"],
          actions: [
            "kms:Create*",
            "kms:Describe*",
            "kms:Enable*",
            "kms:List*",
            "kms:Put*",
            "kms:Update*",
            "kms:Revoke*",
            "kms:Disable*",
            "kms:Get*",
            "kms:Delete*",
            "kms:ScheduleKeyDeletion",
            "kms:CancelKeyDeletion",
            "kms:GenerateDataKey",
            // default policy does not permit tagging of resources, add additional kms:TagResource action to default policy actions. Fix upstream?
            "kms:TagResource",
            "kms:UntagResource"
          ],
          principals: [new IAM.AccountRootPrincipal()],
          effect: Effect.ALLOW
        })
      ]
    })
  });

This is 🐛 Bug Report
@mattchrist mattchrist added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Feb 4, 2020
@SomayaB SomayaB added the @aws-cdk/aws-kms Related to AWS Key Management label Feb 4, 2020
@skinny85 skinny85 added in-progress This issue is being actively worked on. and removed needs-triage This issue or PR still needs to be triaged. labels Feb 6, 2020
@skinny85
Copy link
Contributor

skinny85 commented Feb 6, 2020

PR: #6125

@skinny85 skinny85 added the p1 label Feb 6, 2020
@mattchrist mattchrist mentioned this issue Feb 6, 2020
Merged
@mergify mergify bot closed this as completed in #6125 Feb 10, 2020
mergify bot added a commit that referenced this issue Feb 10, 2020
@mattchrist @mergify
fix(kms): add TagResource & UntagResource IAM permissions to default …
e65a326 
…key policy (#6125)

* fix(kms): add TagResource & UntagResource IAM permissions to default key policy. fixes #6102

* update expected integration test results to look for new default kms key policy.

* update unit tests to look for new default kms key policy.

* update another s3 test to look for new default kms key policy.

* Update a few more tests to check for new default kms policy

* update decdk snapshot to reflect changed kms policy

Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@skinny85 skinny85

Labels
@aws-cdk/aws-kms Related to AWS Key Management bug This issue is a bug. in-progress This issue is being actively worked on. p1
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(kms): add TagResource & UntagResource IAM permissions to default key policy
3 participants
@skinny85 @mattchrist @SomayaB