Open MadsRC opened 1 year ago
For KMS, we implemented tag-based permissions, so as long as you add a matano:trusted = true
to the KMS key, that will allow kms:Decrypt
and kms:GenerateDataKey
permissions. For cross-account keys, you'll need to allow these permissions from whatever AWS account Matano is running in.
For S3, it needs s3:GetObject*
, s3:GetBucket*
, and s3:List*
. If the bucket is in the same account, this will work automatically, as the permissions are set via the transformer function's IAM role, which is managed by the CDK. For cross-account, I believe the bucket policy needs to allow these permissions from whatever account Matano is in.
For S3 access logs, I don't think cross-account access will currently work due to how object-ownership is set for them. They require an IAM role to be assumed for cross-account access because of this, which is not currently exposed as a configurable option.
That should be a sufficient start.
The documentation for "Bring Your Own Bucket" ingestion does not include any instructions for setting permissions required for buckets and KMS resources.
One use-case is an organisation where the AWS CloudTrail bucket is hosted in one account, but Matano is deployed somewhere else.
I'd create a PR with changes to the docs once I find out what permissions is required.