feat: Update resource-role.yaml with KMS Permissions

[matthew-ewing]

Proposed changes

My organization has a use case where we would like to use an existing KMS Customer Managed Key in our AWS accounts to encrypt the AWS SecretsManager resources accessed by this stack. In order to do so, the resource role needs access to KMS.

Jira ticket: CLOUDP-#

Currently we receive an error when attempting to create an MongoDB Atlas Cluster using this specific configuration: AtlasCluster Resource handler returned message: "AccessDeinedException: Access to KMS is not allowed

Link to any related issue(s): Related to internal support case 01334748

Type of change:

• [ ] Bug fix (non-breaking change which fixes an issue)
• [x] New feature (non-breaking change which adds functionality)
• [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
• [ ] This change requires a documentation update
• [ ] If changes include removal or addition of 3rd party GitHub actions, I updated our internal document. Reach out to the APIx Integration slack channel to get access to the internal document.

Manual QA performed:

• [ ] cfn invoke for each of CRUDL/cfn test
• [ ] Updated resource in example
• [ ] Published to AWS private registry
• [ ] Used the template in example to create and update a stack in AWS
• [ ] Deleted stack to ensure resources are deleted
• [ ] Created multiple resources in same stack
• [ ] Validated in Atlas UI
• [ ] Included screenshots

Required Checklist:

• [ ] I have signed the MongoDB CLA
• [ ] I have added tests that prove my fix is effective or that my feature works
• [ ] I have checked that this change does not generate any credentials and that they are NOT accidentally logged anywhere.
• [ ] I have added any necessary documentation (if appropriate)
• [ ] I have run make fmt and formatted my code
• [ ] For CFN Resources: I have released by changes in the private registry and proved by change works in Atlas

Further comments

[lantoli]

Thanks @matthew-ewing for creating this PR. Unfortunately I don't think it will have the effect you need. The permissions in this file are only for the execution of the CRUDL operations, of MongoDB::Atlas::Cluster in this case, i.e. when the cluster is created, read, updated, listed, deleted. In those operations KMS is not used.

You will probably want to change permissions for KMS policy or for the IAM role that executes your CFN stack:

I hope this helps. If you have any other question please let me know.

[matthew-ewing]

I believe the issue I am running into is when this role attempts to create the cluster, it reads from secrets manager to obtain credentials. The secrets stored in secrets manager are encrypted using an AWS KMS customer managed key. I think that is why I am seeing this specific error on cluster create. Although it would appear KMS is not being used, permissions for KMS are required in order to perform secretsmanager:GetSecretValue for secrets encrypted with a CMK.

See this AWS doc for additional details: https://docs.aws.amazon.com/secretsmanager/latest/userguide/security-encryption.html#security-encryption-encrypt

[AgustinBettati]

Hi @matthew-ewing. Wanted to confirm if you where able to reference the note we have in our README.md file related to using AWS KMS key to handle encryption of your secret. This mentions specific resource policies that need to be configured in the KMS key so that Secrets Manager has the appropriate access.

[lantoli]

hi @matthew-ewing , as @AgustinBettati mentions you should be able to change the key policy to allow access to Secrets Manager.

There is also more info in Key Policies

[lantoli]

hi @matthew-ewing, I'm not sure that file is really used by the resource operations. Can you try to use an Execution Role when activating the MongoDB::Atlas::Cluster resource with the KMS permissions you want to try?

[EspenAlbert]

Here is the AWS Docs about resource-role.yaml See the Accessing AWS APIs from a resource type heading.

[..]. When you use submit to register the resource type, the CloudFormation CLI attempts to create or update an execution role based on the template, and then passes this execution role to CloudFormation as part of the registration

cfn submit is only a command used during development. It doesn't impact the end-user when they are using a public third-party extension. Only when they are using their private registry. Therefore, this PR will not achieve the goal of the extra KMS permission. However, this can be done by changing the execution_role documented in our Examples Readme.md