Add notes about @aws-cdk/kms:applyImportedAliasPermissionsToPrincipal to docs

Farid Nouri Neshat · Farid Nouri Neshat · commit 1c7f6e8639da · 2025-05-24T20:04:38.000+02:00
diff --git a/packages/aws-cdk-lib/aws-kms/README.md b/packages/aws-cdk-lib/aws-kms/README.md
@@ -91,9 +91,10 @@ const trail = new cloudtrail.Trail(this, 'myCloudTrail', {
 });
 ```
 
-Note that calls to `addToResourcePolicy` method on `myKeyAlias` will be a no-op,  
-`addAlias` and `aliasTargetKey` will fail and `grant*` methods will not modify the key policy, 
-as the imported alias does not have a reference to the underlying KMS Key.
+Note that calls to `addToResourcePolicy` method on `myKeyAlias` will be a no-op, `addAlias` and `aliasTargetKey` will fail.
+The `grant*` methods will not modify the key policy, as the imported alias does not have a reference to the underlying KMS Key.
+For the `grant*` methods to modify the principal's IAM policy, the feature flag `@aws-cdk/aws-kms:applyImportedAliasPermissionsToPrincipal`
+must be set to `true`. By default, this flag is `false` and `grant*` calls on an imported alias are a no-op.
 
 ### Lookup key by alias
 
diff --git a/packages/aws-cdk-lib/aws-kms/lib/alias.ts b/packages/aws-cdk-lib/aws-kms/lib/alias.ts
@@ -188,7 +188,11 @@ export class Alias extends AliasBase {
    * Import an existing KMS Alias defined outside the CDK app, by the alias name. This method should be used
    * instead of 'fromAliasAttributes' when the underlying KMS Key ARN is not available.
    * This Alias will not have a direct reference to the KMS Key, so addAlias method is not supported.
-   * The grant* methods will use the kms:ResourceAliases condition to grant permissions to the specific alias name. They will also only modify the principal policy, not the key resource policy.
+   *
+   * If the `@aws-cdk/aws-kms:applyImportedAliasPermissionsToPrincipal` feature flag is set to `true`,
+   * the grant* methods will use the kms:ResourceAliases condition to grant permissions to the specific alias name.
+   * They will only modify the principal policy, not the key resource policy.
+   * Without the feature flag `grant*` methods will be a no-op.
    *
    * @param scope The parent creating construct (usually `this`).
    * @param id The construct's name.
