-
Notifications
You must be signed in to change notification settings - Fork 3.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(core): s3-deployments don't work with new bootstrap stack #8578
Conversation
We added a KMS key, so the roles that want to read from the asset bucket should have KMS permissions. Fixes #8541.
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am not comfortable with granting decrypt permissions with any key. Feels unnecessarily promiscuous. I believe we should have an alias with a well known name in the bootstrap stack. Can we only grant permissions to it?
packages/@aws-cdk/core/lib/stack-synthesizers/default-synthesizer.ts
Outdated
Show resolved
Hide resolved
We don't have an alias. We can add an alias, but it wouldn't help. It's not possible to add permissions to an alias, it must be on the key ID (which is a UUID). |
What about a CFN Export of the key ID? |
Yep, good call. We ended up doing that. |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
@@ -247,6 +267,7 @@ export class DefaultStackSynthesizer implements IStackSynthesizer { | |||
httpUrl, | |||
s3ObjectUrl, | |||
s3Url: httpUrl, | |||
kmsKeyArn: Fn.importValue(cfnify(this._kmsKeyArnExportName!)), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
curious, why do we need !
here and in for this.bucketName
? Generally I think we should completely avoid !
. It's better to write the code that checks for nullity and throws an "unexpected" exception (or some other meaningful message) then let the null propagate to an unexpected place.
…l add the right permissions
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think you accidentally added the imported Key
to the parent scope
Co-authored-by: Elad Ben-Israel <benisrae@amazon.com>
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
We added a KMS key, so the roles that want to read from the asset bucket should have KMS permissions.
Using
aws-s3-deployments
in combination with the new bootstrap stack requires a bootstrap stack update. You will see the following message if that is the case:Stack failed: Error: Stack: publishing assets requires bootstrap stack version '3', found '2'. Please run 'cdk bootstrap' with a newer CLI version.
Fixes #8541.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license