search

amazon-connect / amazon-connect-salesforce-lambda

Apache License 2.0
47 stars 35 forks source link

5.7 Release does not configure correct KMS permissions on Lambda Roles #2

Closed zopa-daniel-kitchen closed 3 years ago

zopa-daniel-kitchen commented 3 years ago

I upgraded our deployment of the ServerLess Repo CTI Adapter to 5.7.3 but Lambdas are now failing with errors.

On investigation it seems code was added to salesforce.py to write an OAuth token to SecretsManager:

https://github.com/amazon-connect/amazon-connect-salesforce-lambda/blob/3a926720ee1ae550a2829f8976cdfea2bd985f69/sam-app/lambda_functions/salesforce.py#L88

However, the CloudFormation policy document for the Lambda functions has not been updated to include permissions to Encrypt with the SecretsManager KMS key as provided by the parameter:

SalesforceCredentialsKMSKeyARN

In the template the resource KMSManagedPolicy only attaches permissions for kms:Decrypt:

https://github.com/amazon-connect/amazon-connect-salesforce-lambda/blob/3a926720ee1ae550a2829f8976cdfea2bd985f69/sam-app/lambda_functions/template.yaml#L226

This causes the following error when the Lambda runs:


[DEBUG] 2020-11-16T16:44:43.856Z    3e02e379-48a5-4f10-8405-04c11d08f9ba    https://secretsmanager.eu-west-2.amazonaws.com:443 "POST / HTTP/1.1" 400 75

[DEBUG] 2020-11-16T16:44:43.857Z    3e02e379-48a5-4f10-8405-04c11d08f9ba    Response headers: {'Date': 'Mon, 16 Nov 2020 16:44:43 GMT', 'Content-Type': 'application/x-amz-json-1.1', 'Content-Length': '75', 'Connection': 'keep-alive', 'x-amzn-RequestId': 'ce54db28-100a-4fef-909f-3bc87b30fd6d'}

[DEBUG] 2020-11-16T16:44:43.857Z    3e02e379-48a5-4f10-8405-04c11d08f9ba    Response body:
b'
{
    "__type": "AccessDeniedException",
    "Message": "Access to KMS is not allowed"
}
'

Steps to reproduce

Launch AWS::Serverless::Application resource via Cloudformation passing SemanticVersion: 5.7.3. Fill in all required parameters as desired, they won't effect the behaviour.

cti:
    Type: AWS::Serverless::Application
    Properties:
      Location:
        ApplicationId: arn:aws:serverlessrepo:us-west-2:821825267871:applications/AmazonConnectSalesforceLambda
        SemanticVersion: 5.7.3
LorneCurrie commented 3 years ago

The issue is with 5.7.

blee-amzn commented 3 years ago

Hi guys,

apologies for this issue. We've already merged the fix into our repo, but you can fix this yourself by adding the kms:generatedatakey action to the KMSManagedPolicy managed policy.