Add support for cross account SSE-KMS S3 buckets

[giany]

Cannot access cross account S3 bucket if the bucket has KMS enabled

Describe the Bug

In the documentation it's specified that we can use buckets from a different AWS accounts. For example: I'm using AccountA for AGC and AccountB for the buckets:

data:
  - location: s3://accB-s3-bucket*
    readOnly: true

This works fine if there is no KMS encryption set..but if SSE-KMS is set on the bucket..then the Role that is used to run the EC2s (has name like: Agc-Context-xxxx-g-BatchTaskBatchSpotBatchR-1SMCM2E1YR01X) needs to be able to access that KMS key. Accessing those buckets do not work due to this.

Steps to Reproduce

Use a S3 bucket from a different AWS account and make sure SSE-KMS is enabled.

Expected Behavior

I should be able to access the involved S3 bucket.

Actual Behavior

I get forbidden message.

download failed: s3://accB-s3-bucket/file.gvcf.gz to ../../tmp/ephermal/file.gvcf.gz An error occurred (AccessDenied) when calling the GetObject operation: The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access.

Additional Context

If I manually add on that Role a policy that allows kms:decrypt on that KMS key..it behaves properly..though once the context is destroyed & re-created the policy needs to be added again.

Operating System: Ubuntu 18.04 AGC Version: 1.5.1 Was AGC setup with a custom bucket: Yes Was AGC setup with a custom VPC: Yes

[rforsyth]

Thanks for raising this issue and for validating that it works with a manually updated IAM Role. We will add support for cross-account S3 buckets to our feature backlog.

Switching the label from "bug" to "enhancement" since this would be considered a new feature. Leaving this issue open to track the work.