whygoyal
commented
2 years ago Thank you for opening this issue - we are looking into it.
Closed acdha closed 1 year ago
whygoyal
commented
2 years ago Thank you for opening this issue - we are looking into it.
jbct
commented
1 year ago Hi acdha. Apologies for the delay in responding. Our recommendation would be to change the CMK policy afterwards or structure the key policy using tags on the secret. Unfortunately this enhancement isn't something that we're looking to implement at this time.
willtong1234
commented
1 year ago Alternatively, the rotation Lambda templates simply use the AWS::Serverless::Function Cloudformation resource so you could just use !GetAtt my_serverless_functionRole.Arn to reference the role arn and give permissions to your CMK key policy. You can then also use this same role reference to give KMS decrypt permissions to your Lambda execution role by using the AWS::IAM::Policy. All of that can be done in a single Cloudformation template in a single pass.
I ran into a problem deploying this using KMS-CMKs using a single pass because I can't create the IAM Role first so the CMK policy can include its ARN for access. This can, of course, be solved by changing the CMK policy after the fact but that is non-trivial to implement in common tools like CloudFormation or Terraform.
It seems like this could most easily be implemented by allowing an IAM role to be provided as an input so the CMK key policy could be configured first and then all of the same IAM policies could be attached by this stack.