Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[AWS::KMS::Key] returning incorrect values #67

Open
greg5123334 opened this issue Jun 17, 2024 · 0 comments
Open

[AWS::KMS::Key] returning incorrect values #67

greg5123334 opened this issue Jun 17, 2024 · 0 comments

Comments

@greg5123334
Copy link

It seems that AWS::KMS::Key resources are returning the incorrect values.

Expected: KMS ID
Actual: KMS ARN

Test

Deployment

aws cloudformation deploy --template-file template.yaml --stack-name test

AWSTemplateFormatVersion: 2010-09-09
Description: Drift Test

Resources:
  KMSKey:
    Type: AWS::KMS::Key
    Properties:
      KeyPolicy:
        Version: 2012-10-17
        Id: "Test"
        Statement:
          - Sid: Allow root # Allow everything for root IAM Role
            Effect: Allow
            Action: kms:*
            Resource: "*"
            Principal:
              AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root"
          - Sid: "ECS: Allow generate data key access for Fargate tasks."
            Effect: Allow
            Principal:
              Service: fargate.amazonaws.com
            Action: kms:GenerateDataKeyWithoutPlaintext
            Condition:
              StringEquals:
                kms:EncryptionContext:aws:ecs:clusterAccount:
                  - !Ref AWS::AccountId
                kms:EncryptionContext:aws:ecs:clusterName:
                  - "Test" # !Ref EcsCluster circular dependency
            Resource: "*"
          - Sid: "ECS: Allow grant creation permission for Fargate tasks."
            Effect: Allow
            Principal:
              Service: fargate.amazonaws.com
            Action: kms:CreateGrant
            Condition:
              StringEquals:
                kms:EncryptionContext:aws:ecs:clusterAccount:
                  - !Ref AWS::AccountId
                kms:EncryptionContext:aws:ecs:clusterName:
                  - "Test" # !Ref EcsCluster circular dependency
              ForAllValues:StringEquals:
                kms:GrantOperations:
                  - Decrypt
            Resource: "*"

  ECSCluster:
    Type: AWS::ECS::Cluster
    Properties:
      ClusterName: "Test"
      CapacityProviders:
        - FARGATE
      Configuration:
        ManagedStorageConfiguration:
          FargateEphemeralStorageKmsKeyId: !GetAtt KMSKey.KeyId

Outputs:
  KMSKeyIdGetAtt:
    Description: Key ID GetAtt
    Value: !GetAtt KMSKey.KeyId
  KMSKeyIdGetRef:
    Description: Key ID Ref
    Value: !Ref KMSKey
  KMSKeyArn:
    Description: The ID of the KMS key
    Value: !GetAtt KMSKey.Arn

Observation

Outputs:
  KMSKeyIdGetAtt:
    Description: Key ID GetAtt
    Value: !GetAtt KMSKey.KeyId
  KMSKeyIdGetRef:
    Description: Key ID Ref
    Value: !Ref KMSKey
  KMSKeyArn:
    Description: The ID of the KMS key
    Value: !GetAtt KMSKey.Arn

KMSKeyArn	arn:aws:kms:eu-central-1:00000000000:key/xxxxxx-65cc-4a96-b072-xxxxxxx
KMSKeyIdGetAtt	xxxxxxx-65cc-4a96-b072-xxxxxxxxx
KMSKeyIdGetRef	xxxxxx-65cc-4a96-b072-xxxxxxxxxxx

seems to resolve correctly in the template itself....

and looking in the corresponding CreateCluster API call...

{
        "requestParameters": {
        "clusterName": "Test",
        "tags": [
            {
                "key": "aws:cloudformation:stack-name",
                "value": "test"
            },
            {
                "key": "aws:cloudformation:logical-id",
                "value": "ECSCluster"
            },
            {
                "key": "aws:cloudformation:stack-id",
                "value": "arn:aws:cloudformation:eu-central-1:000000000000:stack/test/xxxxxxx-2c9d-11ef-9597-000000000000"
            }
        ],
        "settings": [],
        "configuration": {
            "managedStorageConfiguration": {
                "fargateEphemeralStorageKmsKeyId": "xxxxxxx-65cc-4a96-b072-xxxxxxx"
            }
        },
        "capacityProviders": [
            "FARGATE"
        ],
        "defaultCapacityProviderStrategy": []
    },
    "responseElements": {
        "cluster": {
            "clusterArn": "arn:aws:ecs:eu-central-1:000000000000:cluster/Test",
            "clusterName": "Test",
            "configuration": {
                "managedStorageConfiguration": {
                    "fargateEphemeralStorageKmsKeyId": "arn:aws:kms:eu-central-1:000000000000:key/xxxxxxx-65cc-4a96-b072-xxxxxxx"
                }
            },
            "status": "ACTIVE",
            "registeredContainerInstancesCount": 0,
            "runningTasksCount": 0,
            "pendingTasksCount": 0,
            "activeServicesCount": 0,
            "statistics": [],
            "tags": [
                {
                    "key": "aws:cloudformation:stack-name",
                    "value": "test"
                },
                {
                    "key": "aws:cloudformation:stack-id",
                    "value": "arn:aws:cloudformation:eu-central-1:000000000000:stack/test/xxxxxxx-2c9d-11ef-9597-000000000000"
                },
                {
                    "key": "aws:cloudformation:logical-id",
                    "value": "ECSCluster"
                }
            ],
            "settings": [
                {
                    "name": "containerInsights",
                    "value": "disabled"
                }
            ],
            "capacityProviders": [
                "FARGATE"
            ],
            "defaultCapacityProviderStrategy": []
        },
        "clusterCount": 1
    }}

it would appear that Cloudformation is sending the correct value (Key id)...but KMS is returning the incorrect value (KMS Arn) in the response!

Documented return values

Ref

When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the key ID, such as 1234abcd-12ab-34cd-56ef-1234567890ab.

For more information about using the Ref function, see Ref.
Fn::GetAtt

The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.

For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.

Arn

    The Amazon Resource Name (ARN) of the KMS key, such as arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab.

    For information about the key ARN of a KMS key, see Key ARN in the AWS Key Management Service Developer Guide.
KeyId

    The key ID of the KMS key, such as 1234abcd-12ab-34cd-56ef-1234567890ab.

    For information about the key ID of a KMS key, see Key ID in the AWS Key Management Service Developer Guide.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@greg5123334