search

data-dot-all / dataall

A modern data marketplace that makes collaboration among diverse users (like business, analysts and engineers) easier, increasing efficiency and agility in data projects on AWS.
https://data-dot-all.github.io/dataall/
Apache License 2.0
231 stars 82 forks source link

Multi-account deployment did not add infra account to Key Policy for cicd stack #539

Closed rbernotas closed 1 year ago

rbernotas commented 1 year ago

Describe the bug

When deploying data.all in a multi-account setup (1 account for CICD, 1 account for infra), using v1.5, the deployment failed immediately in the dataall-staging-backend-stage Prepare step with the error:

The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access. (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: .......; Proxy: null) Upon investigation, the S3 Bucket "dataall--ci-..." Encryption Key Policy did not allow the Decrypt action for the infrastructure account. It only allowed Decrypt for the CICD account.

Once I added the following to the Key Policy, the Prepare was able to run successfully against the infrastructure account:

` { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::INFRA_ACCT_ID:role/ROLE-REGION" }, "Action": [ "kms:Decrypt", "kms:DescribeKey" ], "Resource": "*" }

` ...where INFRA_ACCT_ID is replaced by the ID of the infrastructure account, ROLE is replaced with the role name that is present in the Allow Principal in the Key Policy for the CICD account, and REGION is replaced by the region.

Somehow, the Key Policy was not correctly setup for the Infrastructure account ID.

How to Reproduce

data.all v1.5

Multi-account deployment, with 1 CICD account and 1 Infrastructure account.

Expected behavior

No response

Your project

No response

Screenshots

No response

OS

N/A

Python version

N/A

AWS data.all version

1.5

Additional context

No response

dlpzx commented 1 year ago

Thanks for opening the issue, we will look into it

noah-paige commented 1 year ago

The above key policy in question relates to the Artifacts Bucket Encryption Key created by CDK Pipelines when initializing a new CodePipeline(...) construct

CDK should handle granting Read Access and Decrypt Permissions to the Pipeline Artifacts S3 Bucket and KMS Key autoamtically - I was not able to replicate the above error in my cross account deployment of data.all.

noah-paige commented 1 year ago

I would think re-bootstrapping the accounts and deploying the pipeline again may resolve the above error...

On the tooling account:

cdk bootstrap aws://<tooling-account-id>/<aws-region>

And on the deployment/infra account:

cdk bootstrap --trust <tooling-account-id> --trust-for-lookup <tooling-account-id> -c @aws-cdk/core:newStyleStackSynthesis=true --cloudformation-execution-policies arn:aws:iam::aws:policy/AdministratorAccess aws://<deployment-account-id>/<aws-region>

Be sure to pass @aws-cdk/core:newStyleStackSynthesis=true

dlpzx commented 1 year ago

Closing stale issue