Open cponfick opened 1 year ago
Hi
iot_actions.SnsTopicAction(
sns_topic,
message_format=iot_actions.SnsActionMessageFormat.RAW,
role= iam_role
)
I believe you need manually grant the read permission to the iam role before you are allowed to to that because SnsTopicAction
has no idea if the sns_topic
comes with a master key property.
Hi
iot_actions.SnsTopicAction( sns_topic, message_format=iot_actions.SnsActionMessageFormat.RAW, role= iam_role )
I believe you need manually grant the read permission to the iam role before you are allowed to to that.
Yes, that's how I currently do it. But if no role is given I would expect that the grant happens automatically inside SnsTopicAction
(on the generated role).
@pahud I guess this is not really a bug, but an inconsistency in how different grants work.
Looking at grantWrite
of a s3 bucket. It is stated that it grants the required permission to encrypt the data. SnsTopicAction
just calls grantPublish
. This does not grant the permission to encrypt data. Maybe I am missing something, but this seems odd to me.
As a user I would expect that grantWrite
and grantPublish
would either both grant the required policies for encryption, or none would.
This is something that could be better handled by our codebase - it would be great if this could automatically detect the key on the Topic. We'd need to expose this on the Topic construct first, and then handle it appropriately after that, but it should be possible!
I'll work on it.
Describe the bug
When creating an SNS topic action with a master-key the action does not work, because it does not have the permission to use the KMS-Key.
Expected Behavior
I would expect the action to work.
Current Behavior
It does not work, because of missing KMS-Key permissions.
Reproduction Steps
Possible Solution
I did not look into the source code yet, but I guess it should be possible to grant the required permissions to the sns topic action role.
The following is a workaround I currently use:
Additional Information/Context
No response
CDK CLI Version
2.70
Framework Version
No response
Node.js Version
16.15.0
OS
MacOS
Language
Python
Language Version
3.9
Other information
No response