Open giany opened 1 year ago
Thanks for raising this issue and for validating that it works with a manually updated IAM Role. We will add support for cross-account S3 buckets to our feature backlog.
Switching the label from "bug" to "enhancement" since this would be considered a new feature. Leaving this issue open to track the work.
Cannot access cross account S3 bucket if the bucket has KMS enabled
Describe the Bug
In the documentation it's specified that we can use buckets from a different AWS accounts. For example: I'm using AccountA for AGC and AccountB for the buckets:
This works fine if there is no KMS encryption set..but if SSE-KMS is set on the bucket..then the Role that is used to run the EC2s (has name like: Agc-Context-xxxx-g-BatchTaskBatchSpotBatchR-1SMCM2E1YR01X) needs to be able to access that KMS key. Accessing those buckets do not work due to this.
Steps to Reproduce
Use a S3 bucket from a different AWS account and make sure SSE-KMS is enabled.
Expected Behavior
I should be able to access the involved S3 bucket.
Actual Behavior
I get forbidden message.
Additional Context
If I manually add on that Role a policy that allows kms:decrypt on that KMS key..it behaves properly..though once the context is destroyed & re-created the policy needs to be added again.
Operating System: Ubuntu 18.04 AGC Version: 1.5.1 Was AGC setup with a custom bucket: Yes Was AGC setup with a custom VPC: Yes