Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(bootstrap): own account should be included in trust #25290

Closed
pn-dbs opened this issue Apr 25, 2023 · 3 comments
Closed

(bootstrap): own account should be included in trust #25290

pn-dbs opened this issue Apr 25, 2023 · 3 comments
Assignees
@sumupitchayan
Labels
bug This issue is a bug. effort/medium Medium work item – several days of effort p1 package/tools Related to AWS CDK Tools or CLI

Comments

@pn-dbs
Copy link

pn-dbs commented Apr 25, 2023

Describe the bug

If I bootstrap my aws account 111111111111 with

npx cdk bootstrap \
    --cloudformation-execution-policies arn:aws:iam::aws:policy/AdministratorAccess \
    --trust 222222222222 111111111111/eu-central-1 \
    --bootstrap-kms-key-id <account_internal_key_id>

in the past the resulting cdk-hnb659fds-deploy-role did contain

      {
            "Condition": {
                "StringEquals": {
                    "kms:ViaService": "s3.eu-central-1.amazonaws.com"
                }
            },
            "Action": [
                "kms:Decrypt",
                "kms:DescribeKey",
                "kms:Encrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Allow",
            "Sid": "PipelineCrossAccountArtifactsKey"
        },

Since #24588 this behaviour has changed though, now the Resource is restricted to

      {
            "Condition": {
                "StringEquals": {
                    "kms:ViaService": "s3.eu-central-1.amazonaws.com"
                }
            },
            "Action": [
                "kms:Decrypt",
                "kms:DescribeKey",
                "kms:Encrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*"
            ],
            "Resource": [
                "arn:aws:kms:*:222222222222:*"
            ],
            "Effect": "Allow",
            "Sid": "PipelineCrossAccountArtifactsKey"
        },

Expected Behavior

The account to be bootstrapped (111111111111) is allowed to use the KMS key used for the cdk bucket as well, not just the trusted account 222222222222.

Current Behavior

Only the trusted account is allowed to. This results in cdk uploading the Stacks into its S3-bucket but then cloudformation fails reading from it as the deploy-role no longer has access rights.

creating CloudFormation changeset...

 ❌  <stackname> failed: Error [ValidationError]: S3 error: Access Denied
For more information check http://docs.aws.amazon.com/AmazonS3/latest/API/ErrorResponses.html
  code: 'ValidationError',
  statusCode: 400,
}

One could argue that the account itself should also be explicitly listed as trusted account, but that would mean the default parameters generate a non-working environment, so I think it should work without explicit mentioning of 111111111111.

Reproduction Steps

npx cdk bootstrap \
    --cloudformation-execution-policies arn:aws:iam::aws:policy/AdministratorAccess \
    --trust 222222222222 111111111111/eu-central-1 \
    --bootstrap-kms-key-id <account_internal_key_id>

Possible Solution

Add the account to be bootstrapped into the grant as well or revert to the behaviour before #24588 for the deployment role.

Additional Information/Context

No response

CDK CLI Version

2.76.0 (build 78c411b)

Framework Version

No response

Node.js Version

v16.18.1

OS

Amazon Linux 2

Language

Python

Language Version

3.9.16

Other information

No response
@pn-dbs pn-dbs added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Apr 25, 2023
@github-actions github-actions bot added the package/tools Related to AWS CDK Tools or CLI label Apr 25, 2023
@pahud
Copy link
Contributor

pahud commented Apr 25, 2023

Thank you for your feedback. I am making this p1 for more visibility from the team.

@pahud pahud added p1 effort/medium Medium work item – several days of effort and removed needs-triage This issue or PR still needs to be triaged. labels Apr 25, 2023
@sumupitchayan sumupitchayan self-assigned this Oct 4, 2024
@sumupitchayan
Copy link
Contributor

This is no longer an issue. The PR that edited the bootstrap template and created this bug #24588 was reverted #25540 on May 11, 2023 (a couple weeks after this issue was originally created in April 2023).

I have confirmed the fix by successfully bootstrapping with the same cdk bootstrap command provided by the requestor, passing in 2 accounts with the —trust flag.

Also, we can see that the current bootstrap template includes the revert of the problematic PR.

@pn-dbs to resolve this issue, upgrade your CDK version and re-run cdk bootstrap

@github-actions GitHub Actions
Copy link

github-actions bot commented Oct 9, 2024

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Oct 9, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@sumupitchayan sumupitchayan

Labels
bug This issue is a bug. effort/medium Medium work item – several days of effort p1 package/tools Related to AWS CDK Tools or CLI
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@pahud @sumupitchayan @pn-dbs