Closed matthew-ewing closed 1 month ago
Thanks @matthew-ewing for creating this PR. Unfortunately I don't think it will have the effect you need. The permissions in this file are only for the execution of the CRUDL operations, of MongoDB::Atlas::Cluster
in this case, i.e. when the cluster is created, read, updated, listed, deleted. In those operations KMS is not used.
You will probably want to change permissions for KMS policy or for the IAM role that executes your CFN stack:
I hope this helps. If you have any other question please let me know.
I believe the issue I am running into is when this role attempts to create the cluster, it reads from secrets manager to obtain credentials. The secrets stored in secrets manager are encrypted using an AWS KMS customer managed key. I think that is why I am seeing this specific error on cluster create. Although it would appear KMS is not being used, permissions for KMS are required in order to perform secretsmanager:GetSecretValue
for secrets encrypted with a CMK.
See this AWS doc for additional details: https://docs.aws.amazon.com/secretsmanager/latest/userguide/security-encryption.html#security-encryption-encrypt
Hi @matthew-ewing. Wanted to confirm if you where able to reference the note we have in our README.md file related to using AWS KMS key to handle encryption of your secret. This mentions specific resource policies that need to be configured in the KMS key so that Secrets Manager has the appropriate access.
hi @matthew-ewing , as @AgustinBettati mentions you should be able to change the key policy to allow access to Secrets Manager.
There is also more info in Key Policies
hi @matthew-ewing, I'm not sure that file is really used by the resource operations. Can you try to use an Execution Role when activating the MongoDB::Atlas::Cluster
resource with the KMS permissions you want to try?
Here is the AWS Docs about resource-role.yaml
See the Accessing AWS APIs from a resource type
heading.
[..]. When you use submit to register the resource type, the CloudFormation CLI attempts to create or update an execution role based on the template, and then passes this execution role to CloudFormation as part of the registration
cfn submit
is only a command used during development. It doesn't impact the end-user when they are using a public third-party extension. Only when they are using their private registry.
Therefore, this PR will not achieve the goal of the extra KMS permission.
However, this can be done by changing the execution_role documented in our Examples Readme.md
Proposed changes
My organization has a use case where we would like to use an existing KMS Customer Managed Key in our AWS accounts to encrypt the AWS SecretsManager resources accessed by this stack. In order to do so, the resource role needs access to KMS.
Jira ticket: CLOUDP-#
Currently we receive an error when attempting to create an MongoDB Atlas Cluster using this specific configuration:
AtlasCluster Resource handler returned message: "AccessDeinedException: Access to KMS is not allowed
Link to any related issue(s): Related to internal support case 01334748
Type of change:
Manual QA performed:
Required Checklist:
make fmt
and formatted my codeFurther comments