Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

solution-specific variables not working for KMS Policies #626

Open
6 tasks
BlakePierantoni opened this issue Oct 30, 2024 · 0 comments
Open
6 tasks

solution-specific variables not working for KMS Policies #626

BlakePierantoni opened this issue Oct 30, 2024 · 0 comments
Labels
bug Something isn't working

Comments

@BlakePierantoni
Copy link

BlakePierantoni commented Oct 30, 2024
edited
Loading

Describe the bug
The solution specific variables ${ACCOUNT_ID} and ${REGION} are not being replaced in JSON documents for KMS key policies deployed via the solution. This results in a pipeline failure in the logging stage.

Failure:

The stack named AWSAccelerator-LoggingStack-************-us-east-2 failed to deploy: UPDATE_ROLLBACK_COMPLETE: Resource handler returned message: "Policy contains a statement with one or more invalid principals. (Service: Kms, Status Code: 400

keyManagementService: keySets: - name: ExampleKey deploymentTargets: organizationalUnits: - Workloads/Prod alias: alias/example/key policy: kms/policy.json description: Example KMS key enabled: true enableKeyRotation: true removalPolicy: retain

Snip-it from Key Policy Document
{ "Sid": "Allow EC2 to use this key on behalf of the current AWS Application Migration Service user, during target launches", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::${ACCOUNT_ID}:root", "arn:aws:iam::${ACCOUNT_ID}:role/aws-service-role/mgn.amazonaws.com/AWSServiceRoleForApplicationMigrationService" ] }, "Action": [ "kms:ReEncrypt*", "kms:GenerateDataKey*" ], "Resource": "*", "Condition": { "StringEquals": { "kms:CallerAccount": [ "${ACCOUNT_ID}" ], "kms:ViaService": "ec2.${REGION}.amazonaws.com" } } }

To Reproduce
Steps to reproduce the behavior.

  1. Create a CMK for the solution and a custom KMS Key Policy
  2. Utilize the solution specific variables ${ACCOUNT_ID} and ${REGION} within the Key Policy document.
  3. Execute the pipeline

Expected behavior
I expected the pipeline to execute and replace the solution specific variables to be replaced with the AWS Account ID of the target account and the AWS Region the key policy is being deployed into.

This feature is supported per the Accelerator solution documentation

Please complete the following information about the solution:

  • Version: v1.10.0
  • Region: us-east-1 and us-east-2
  • Was the solution modified from the version published on this repository? No
  • If the answer to the previous question was yes, are the changes available on GitHub? No
  • Have you checked your service quotas for the services this solution uses? Yes
  • Were there any errors in the CloudWatch Logs? Yes, logs are above

Screenshots
If applicable, add screenshots to help explain your problem (please DO NOT include sensitive information).

Additional context
Add any other context about the problem here.
@BlakePierantoni BlakePierantoni added the bug Something isn't working label Oct 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@BlakePierantoni