Some permission boundaries (e.i. Resource and StringLike condition) in lab/iam/policies/base.yaml IAM managed policy statements causes KMS’ API CreateAlias error while creating the workshop environment with terraform, as detailed here
Detailed error as below (sensitive information has been replaced):
╷
│ Error: creating KMS Alias (alias/eks/eks-workshop): operation error KMS: CreateAlias, https response error StatusCode: 400, RequestID: 7511818b-09fd-4a3c-a4ea-0681309ccb56, api error AccessDeniedException: User: arn:aws:sts::XXXXXXXXXXXX:assumed-role/eks-workshop-ide-EksWorkshopIdeRole-Ly8RGbBztvHE/i-XXXXXXXXXXXXXXXXX is not authorized to perform: kms:CreateAlias on resource: arn:aws:kms:us-west-2: XXXXXXXXXXXX:alias/eks/eks-workshop because no identity-based policy allows the kms:CreateAlias action
│
│ with module.eks.module.kms.aws_kms_alias.this["cluster"],
│ on .terraform/modules/eks.kms/main.tf line 452, in resource "aws_kms_alias" "this":
│ 452: resource "aws_kms_alias" "this" {
│
╵
The default KMS key eks-workshop is created but the key alias isn’t. Also, the EKS cluster and managed node group are deployed, but further cluster operations where the KMS key is referenced by key alias could fail.
What did you expect to happen?
Default behavior for terraform-aws-eks module is to create a KMS key for cluster encryption. Here is the permalink for the corresponding variable.
Also, the EKS module uses a default computed alias when creating KMS resources through terraform-aws-kms module. The computed alias has a name prefix in the form eks/${var.cluster_name}. Here is the permalink for the corresponding module definition.
Neither of above behaviors are changed by the terraform manifest provided in the workshop, so the expected result should be that any IAM policy statement referencing the KMS resources have the correct name prefix aliases
Following the steps detailed in the public EKS workshop site as below:
Deploy the AWS CloudFormation stack to create the VSCode IDE environment (a.k.a. eks-workshop-ide). Quick-create link: launch
Follow the steps to create the workshop environment with terraform, as detailed here
Anything else we need to know?
Take into account that terraform-aws-kms module adds up the name prefix alias/ to any computed aliases received from downstream modules. So, the resulting name property for the KMS key alias will be as below:
alias/eks/<any_provided_value>
We can confirm this by looking into terraform plan -var="cluster_name=$EKS_CLUSTER_NAME" before the apply step
# module.eks.module.kms.aws_kms_alias.this["cluster"] will be created
+ resource "aws_kms_alias" "this" {
+ arn = (known after apply)
+ id = (known after apply)
+ name = "alias/eks/eks-workshop"
+ name_prefix = (known after apply)
+ target_key_arn = (known after apply)
+ target_key_id = (known after apply)
}
EKS version
Same versions as deployed by default in the public EKS workshop
@snypher thanks for the very detailed report. It looks like we'll need to add an additional condition to the IAM policy since the KMS alias in other parts of the workshop use the existing pattern.
Installation method
Own AWS account
What happened?
Some permission boundaries (e.i.
Resource
andStringLike
condition) inlab/iam/policies/base.yaml
IAM managed policy statements causes KMS’ APICreateAlias
error while creating the workshop environment with terraform, as detailed hereDetailed error as below (sensitive information has been replaced):
The default KMS key
eks-workshop
is created but the key alias isn’t. Also, the EKS cluster and managed node group are deployed, but further cluster operations where the KMS key is referenced by key alias could fail.What did you expect to happen?
Default behavior for terraform-aws-eks module is to create a KMS key for cluster encryption. Here is the permalink for the corresponding variable.
Also, the EKS module uses a default computed alias when creating KMS resources through terraform-aws-kms module. The computed alias has a name prefix in the form
eks/${var.cluster_name}
. Here is the permalink for the corresponding module definition.Neither of above behaviors are changed by the terraform manifest provided in the workshop, so the expected result should be that any IAM policy statement referencing the KMS resources have the correct name prefix aliases
Below is a patch for
base.yaml
fileSame patch can be applied to the final unified YAML
eks-workshop-vscode-cfn.yaml
How can we reproduce it?
Following the steps detailed in the public EKS workshop site as below:
Anything else we need to know?
Take into account that terraform-aws-kms module adds up the name prefix
alias/
to any computed aliases received from downstream modules. So, the resulting name property for the KMS key alias will be as below:alias/eks/<any_provided_value>
We can confirm this by looking into
terraform plan -var="cluster_name=$EKS_CLUSTER_NAME"
before the apply stepEKS version
Same versions as deployed by default in the public EKS workshop