You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It seems that AWS::KMS::Key resources are returning the incorrect values.
Expected: KMS ID
Actual: KMS ARN
Test
Deployment
aws cloudformation deploy --template-file template.yaml --stack-name test
AWSTemplateFormatVersion: 2010-09-09Description: Drift TestResources:
KMSKey:
Type: AWS::KMS::KeyProperties:
KeyPolicy:
Version: 2012-10-17Id: "Test"Statement:
- Sid: Allow root # Allow everything for root IAM RoleEffect: AllowAction: kms:*Resource: "*"Principal:
AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root"
- Sid: "ECS: Allow generate data key access for Fargate tasks."Effect: AllowPrincipal:
Service: fargate.amazonaws.comAction: kms:GenerateDataKeyWithoutPlaintextCondition:
StringEquals:
kms:EncryptionContext:aws:ecs:clusterAccount:
- !RefAWS::AccountIdkms:EncryptionContext:aws:ecs:clusterName:
- "Test"# !Ref EcsCluster circular dependencyResource: "*"
- Sid: "ECS: Allow grant creation permission for Fargate tasks."Effect: AllowPrincipal:
Service: fargate.amazonaws.comAction: kms:CreateGrantCondition:
StringEquals:
kms:EncryptionContext:aws:ecs:clusterAccount:
- !RefAWS::AccountIdkms:EncryptionContext:aws:ecs:clusterName:
- "Test"# !Ref EcsCluster circular dependencyForAllValues:StringEquals:
kms:GrantOperations:
- DecryptResource: "*"ECSCluster:
Type: AWS::ECS::ClusterProperties:
ClusterName: "Test"CapacityProviders:
- FARGATEConfiguration:
ManagedStorageConfiguration:
FargateEphemeralStorageKmsKeyId: !GetAtt KMSKey.KeyIdOutputs:
KMSKeyIdGetAtt:
Description: Key ID GetAttValue: !GetAtt KMSKey.KeyIdKMSKeyIdGetRef:
Description: Key ID RefValue: !Ref KMSKeyKMSKeyArn:
Description: The ID of the KMS keyValue: !GetAtt KMSKey.Arn
Observation
Outputs:
KMSKeyIdGetAtt:
Description: Key ID GetAttValue: !GetAtt KMSKey.KeyIdKMSKeyIdGetRef:
Description: Key ID RefValue: !Ref KMSKeyKMSKeyArn:
Description: The ID of the KMS keyValue: !GetAtt KMSKey.Arn
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the key ID, such as 1234abcd-12ab-34cd-56ef-1234567890ab.
For more information about using the Ref function, see Ref.
Fn::GetAtt
The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.
For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.
Arn
The Amazon Resource Name (ARN) of the KMS key, such as arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab.
For information about the key ARN of a KMS key, see Key ARN in the AWS Key Management Service Developer Guide.
KeyId
The key ID of the KMS key, such as 1234abcd-12ab-34cd-56ef-1234567890ab.
For information about the key ID of a KMS key, see Key ID in the AWS Key Management Service Developer Guide.
The text was updated successfully, but these errors were encountered:
It seems that AWS::KMS::Key resources are returning the incorrect values.
Expected: KMS ID
Actual: KMS ARN
Test
Deployment
aws cloudformation deploy --template-file template.yaml --stack-name test
Observation
seems to resolve correctly in the template itself....
and looking in the corresponding
CreateCluster
API call...it would appear that Cloudformation is sending the correct value (Key id)...but KMS is returning the incorrect value (KMS Arn) in the response!
Documented return values
The text was updated successfully, but these errors were encountered: