Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

allow the usage of an encrypted AMI #2927

Closed
v-rosa opened this issue Feb 6, 2023 · 11 comments
Closed

allow the usage of an encrypted AMI #2927

v-rosa opened this issue Feb 6, 2023 · 11 comments

Comments

@v-rosa
Copy link
Contributor

v-rosa commented Feb 6, 2023

Currently its not possible to use an AMI encrypted using an external KMS key.

Something like this would fix this issue. https://github.com/v-rosa/terraform-aws-github-runner/tree/allow-using-encrypted-ami

Would be great to have this feature, let me know if these changes are OK for a PR.

Co-authored with @rsmolinski
@reedloden
Copy link
Contributor

(random lurker here that just saw this issue)

Wouldn't it make sense to go ahead and submit as a PR versus waiting to hear if you should? Saves an unneeded step. :-)

@v-rosa v-rosa mentioned this issue Feb 7, 2023
Merged
@github-actions
Copy link
Contributor

github-actions bot commented Mar 9, 2023

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed if no further activity occurs. Thank you for your contributions.

@github-actions github-actions bot added the Stale label Mar 9, 2023
@reedloden
Copy link
Contributor

not stale :-)

@github-actions github-actions bot removed the Stale label Mar 10, 2023
@marko-fabry
Copy link
Contributor

Hello @v-rosa , I have tried your shared encrypted AMI feature in the 2.4.0 release but I was not able to get the scale-up lambda to actually run an EC2 instance without adding following IAM permission to the role:

statement {
    sid    = "AllowKMSCreateGrant"
    effect = "Allow"
    actions = [
      "kms:CreateGrant",
    ]
    resources = [
      var. ami_kms_key_arn
    ]
    condition {
      test     = "Bool"
      variable = "aws:ViaAWSService"
      values   = ["true"]
    }
  }

Did you maybe set some special permissions on the KMS key, so that this is not needed?

@v-rosa
Copy link
Contributor Author

v-rosa commented Mar 10, 2023
edited
Loading

Hello @marko-fabry indeed you are right, we're missing the Kms:CreateGrant permission I have it in my example, not sure why I missed it in the initial PR.

Even though the Kms key policy allows a given identity to use the key, the KMS service also requires the permissions to be set on the user/role allowed to use the key.

Edit: this not applies for grants, it can be set either on the key policy or IAM policy. See:

Principals can get permission to create grants from a key policy or IAM policy. Principals who get kms:CreateGrant permission from a policy can create grants for any grant operation on the KMS key. These principals are not required to have the permission that they are granting on the key. When you allow kms:CreateGrant permission in a policy, you can use policy conditions to limit this permission.

https://docs.aws.amazon.com/kms/latest/developerguide/grants.html

I will try to open a PR today to fix this. Thanks for the report.

@marko-fabry
Copy link
Contributor

Thank you :) Much appreciated.

@v-rosa
Copy link
Contributor Author

v-rosa commented Mar 10, 2023

Meanwhile I started to load more context (I'm in PTO ehehe) it might work only with the KMS key policy. Can you share you KMS key policy uses to encrypt the AMI?

@v-rosa
Copy link
Contributor Author

v-rosa commented Mar 10, 2023
edited
Loading

In you KMS key policy try to add the following statement:

            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::<account-number>:<root-or-iam-role>"
                ]
            },
            "Action": "kms:CreateGrant",
            "Resource": "*"
        }

And try again to spin up some runners. With this permission on the key policy I could create runners without specifically add Kms:CreateGrant on the lambda policy.

Later the CreateGrant permission in the KMS key policy should be more restricted, see https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#grant-authorization

@marko-fabry
Copy link
Contributor

Hey @v-rosa , sorry for late response.

I tried adding the policy statement you provided without the statement that allowed the kms:Grant on the role, but the runners don't spin up. I see errors in CloudTrail like this:

...
    "eventSource": "kms.amazonaws.com",
    "eventName": "CreateGrant",
    "awsRegion": "us-east-1",
    "sourceIPAddress": "ec2-frontend-api.amazonaws.com",
    "userAgent": "ec2-frontend-api.amazonaws.com",
    "errorCode": "AccessDenied",
    "errorMessage": "User: arn:aws:sts::123456789:assumed-role/scale-up-lambda-role/scale-up is not authorized to perform: kms:CreateGrant on resource: arn:aws:kms:us-east-1:123456789:key/abcdef123456789 because no identity-based policy allows the kms:CreateGrant action",
...

So I guess the allow on the lambda role is actually necessary.

@marko-fabry marko-fabry mentioned this issue Mar 13, 2023
Merged
@marko-fabry
Copy link
Contributor

@v-rosa I added a PR - #3049 :)

npalm pushed a commit that referenced this issue Mar 17, 2023
@marko-fabry
fix: add missing IAM permissions for runners from encrypted AMI (#3049)
e0819f6 
This should fix missing IAM permissions when running from encrypted AMI.
See [this
issue](#2927)
@v-rosa
Copy link
Contributor Author

v-rosa commented Mar 21, 2023

Seems that a new hot fix was released, closing this issue.

@v-rosa v-rosa closed this as completed Mar 21, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@reedloden @v-rosa @marko-fabry