search

localstack / localstack

💻 A fully functional local AWS cloud stack. Develop and test your cloud & Serverless apps offline
https://localstack.cloud
Other
55.76k stars 3.97k forks source link

KMS with Policy fails #7605

Closed pixie79 closed 1 year ago

pixie79 commented 1 year ago

Is there an existing issue for this?

Current Behavior

When using Terraform to create a KMS key with a policy every time I get the error

Error: creating KMS Key: MalformedPolicyDocumentException: Policy contains a statement with one or more invalid principals

Expected Behavior

It should create the key with the attached policy as it is valid when run against AWS.

How are you starting LocalStack?

With a docker-compose file

Steps To Reproduce

How are you starting localstack

docker-compose up
version: "3.8"

services:
  localstack:
    container_name: "${LOCALSTACK_DOCKER_NAME-localstack_main}"
    image: localstack/localstack-pro
    ports:
      - "127.0.0.1:4566:4566"            # LocalStack Gateway
      - "127.0.0.1:4510-4559:4510-4559"  # external services port range
    environment:
      - DEBUG=1
      - DOCKER_HOST=unix:///var/run/docker.sock
      - LOCALSTACK_API_KEY=<API_KEY_REDACTED>
    volumes:
      - "${LOCALSTACK_VOLUME_DIR:-./volume}:/var/lib/localstack"
      - "/var/run/docker.sock:/var/run/docker.sock"

Terraform

main.tf

locals {
  region                = data.aws_region.current.name
  account_id            = data.aws_caller_identity.current.account_id
}

data "aws_region" "current" {}

data "aws_caller_identity" "current" {}

data "aws_iam_policy_document" "base_kms_policy" {
  statement {
    sid = "Enable current User"
    principals {
      identifiers = [data.aws_caller_identity.current.arn]
      type        = "AWS"
    }
    actions = [
      "kms:*"
    ]
    resources = [
      "arn:aws:kms:${local.region}:${local.account_id}:key/*",
      "arn:aws:kms:${local.region}:${local.account_id}:alias/*"
    ]
  }
}

resource "aws_kms_key" "key1" {
  description             = "key1"
  deletion_window_in_days = 10
  enable_key_rotation     = true
  policy                  = data.aws_iam_policy_document.base_kms_policy.json
}

resource "aws_kms_alias" "alias" {
  target_key_id = aws_kms_key.key1.id
  name          = "alias/key1"
}

resource "aws_kms_key" "key2" {
  description             = "key2"
  deletion_window_in_days = 10
  enable_key_rotation     = true
}

terraform init terraform apply

Key 1 fails to create as it has a policy, Key 2 creates fine.

Environment

- OS: OSX 13.1
- LocalStack: localstack/localstack-pro        latest       a440862bcd77

providers.tf

provider "aws" {
  region = "af-south-1"
  skip_credentials_validation = true
  skip_metadata_api_check = true
  skip_requesting_account_id = true
  skip_region_validation = true
  endpoints {
    apigateway     = "http://localhost:4566"
    cloudformation = "http://localhost:4566"
    cloudwatch     = "http://localhost:4566"
    dynamodb       = "http://localhost:4566"
    es             = "http://localhost:4566"
    firehose       = "http://localhost:4566"
    iam            = "http://localhost:4566"
    kinesis        = "http://localhost:4566"
    lambda         = "http://localhost:4566"
    route53        = "http://localhost:4566"
    redshift       = "http://localhost:4566"
    s3             = "http://localhost:4566"
    secretsmanager = "http://localhost:4566"
    ses            = "http://localhost:4566"
    sns            = "http://localhost:4566"
    sqs            = "http://localhost:4566"
    ssm            = "http://localhost:4566"
    stepfunctions  = "http://localhost:4566"
    sts            = "http://localhost:4566"
  }
}

terraform {
  required_version = ">=1.3.6"
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = ">=4.52.0"
    }
  }
}


### Anything else?

_No response_
localstack-bot commented 1 year ago

Welcome to LocalStack! Thanks for reporting your first issue and our team will be working towards fixing the issue for you or reach out for more background information. We recommend joining our Slack Community for real-time help and drop a message to LocalStack Pro Support if you are a Pro user! If you are willing to contribute towards fixing this issue, please have a look at our contributing guidelines and our contributing guide.

whummer commented 1 year ago

Hi @pixie79 , thanks for the detailed report.

Looks like the endpoint for kms is still missing in your config - getting the following error when trying to deploy your sample:

│ Error: creating KMS Key: UnrecognizedClientException: The security token included in the request is invalid.
│   status code: 400, request id: e2c55e39-2ab7-4af1-9939-197052b6e370

Does it work if you add the following entry to your endpoints section in the provider?

    kms            = "http://localhost:4566"

Btw, we usually recommend using the tflocal command line, it does all the wiring of endpoints under the covers, so you don't need to configure them manually: https://github.com/localstack/terraform-local

localstack-bot commented 1 year ago

Hello 👋! It looks like this issue hasn’t been active in longer than two months. We encourage you to check if this is still an issue in the latest release. In the absence of more information, we will be closing this issue soon. If you find that this is still a problem, please feel free to provide a comment or upvote with a reaction on the initial post to prevent automatic closure. If the issue is already closed, please feel free to open a new one.