Closed rbernotas closed 1 year ago
Thanks for opening the issue, we will look into it
The above key policy in question relates to the Artifacts Bucket Encryption Key created by CDK Pipelines when initializing a new CodePipeline(...)
construct
CDK should handle granting Read Access and Decrypt Permissions to the Pipeline Artifacts S3 Bucket and KMS Key autoamtically - I was not able to replicate the above error in my cross account deployment of data.all.
I would think re-bootstrapping the accounts and deploying the pipeline again may resolve the above error...
On the tooling account:
cdk bootstrap aws://<tooling-account-id>/<aws-region>
And on the deployment/infra account:
cdk bootstrap --trust <tooling-account-id> --trust-for-lookup <tooling-account-id> -c @aws-cdk/core:newStyleStackSynthesis=true --cloudformation-execution-policies arn:aws:iam::aws:policy/AdministratorAccess aws://<deployment-account-id>/<aws-region>
Be sure to pass @aws-cdk/core:newStyleStackSynthesis=true
Closing stale issue
Describe the bug
When deploying data.all in a multi-account setup (1 account for CICD, 1 account for infra), using v1.5, the deployment failed immediately in the dataall-staging-backend-stage Prepare step with the error:
The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access. (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: .......; Proxy: null)
Upon investigation, the S3 Bucket "dataall-Once I added the following to the Key Policy, the Prepare was able to run successfully against the infrastructure account:
` { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::INFRA_ACCT_ID:role/ROLE-REGION" }, "Action": [ "kms:Decrypt", "kms:DescribeKey" ], "Resource": "*" }
` ...where INFRA_ACCT_ID is replaced by the ID of the infrastructure account, ROLE is replaced with the role name that is present in the Allow Principal in the Key Policy for the CICD account, and REGION is replaced by the region.
Somehow, the Key Policy was not correctly setup for the Infrastructure account ID.
How to Reproduce
data.all v1.5
Multi-account deployment, with 1 CICD account and 1 Infrastructure account.
Expected behavior
No response
Your project
No response
Screenshots
No response
OS
N/A
Python version
N/A
AWS data.all version
1.5
Additional context
No response