Open gautam-nutalapati opened 1 month ago
huanjani
commented
1 month ago Hi, @gautam-nutalapati!
You can create a Parameters file for your addons template that refers to your Task Role ARN. See https://aws.github.io/copilot-cli/docs/developing/addons/workload/#customizing-the-parameters-section.
huanjani
commented
1 month ago In .../addons/addons.parameters.yml:
Parameters:
TaskRoleArn: !GetAtt TaskRole.Arn
gautam-nutalapati
commented
1 month ago I tried this and got the error
ValidationError: Circular dependency between resources: [TaskDefinition, AddonsStack, Service, TaskRole]
Steps:
/addons/addons.parameters.yml I added
Parameters:
TaskRoleArn: !GetAtt TaskRole.Arn
Parameters:
ECSTaskArn:
Type: String
Description: TaskRoleArn created by main Stack.
.
.
Resources:
DataEncryptionKey:
Type: AWS::KMS::Key
Properties:
...
KeyPolicy:
Version: '2012-10-17'
Id: key-default-1
Statement:
- Sid: Encrypt and decrypt permission for service
Effect: Allow
Principal:
AWS: !Ref ECSTaskArn
Action:
...I guess this approach may not work as TaskRole resource refers to policies created by AddOns and referring to TaskRole in turn in AddOns may be causing this issue.
I don't know if there's a way to solve this unless we create KMS key in main stack itself. For now, we will continue to hard code ARNs. :/
Let us know your thoughts.
Lou1415926
commented
1 month ago @gautam-nutalapati Hi hi! Have you tried moving DataEncryptionKey into the main stack via. yaml patch?
We create KMS key in add-ons, and would like to restrict it to service task role. Can we expose task role ARN in Cloudformation so we can use it in KMC access policy in addons?
UPDATE: Please note that unlike applying policy to task role via addons, in this case we need to use task role ARN in addons. Refer: KMS key-policies