-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
(CodeBuild): Add KMS decrypt to policy for secrets from another account #14043
Comments
Hi @Kruspe , thanks for opening the issue. This should actually work already! Can you give an example where passing a Key from a different account to a Project is not working? Thanks, |
Hey @skinny85, sure we use the the environmentVariables: {
SECRET: {
value: <SECRETS_ARN_FROM_OTHER_ACCOUNT>,
type: BuildEnvironmentVariableType.SECRETS_MANAGER,
}
} This creates a policy which now correctly grants access for {
"Action": "secretsmanager:GetSecretValue",
"Resource": [
"arn:aws:secretsmanager:<REGION>:<OTHER_ACCOUNT>:secret:<SECRETS_ARN>"
],
"Effect": "Allow"
} it also creates a kms policy like this one: {
"Action": [
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*"
],
"Resource": "arn:aws:kms:<REGION>:<ACCOUNT>:key/<KEY>",
"Effect": "Allow"
} But it is missing one for the Hope this helps. If not let me know and I can figure out a better example! |
I don't quite understand. Where is the Key in OTHER_ACCOUNT in your example? I don't see it anywhere... The KMS policy that you've shown I'm 99% sure has nothing to do with setting any environment variables (you can remove the |
The KMS policy is not in the example. That's true. Just wanted to show it for completeness sake. Sorry if that was confusing! Maybe just scrape that information it's not relevant to the issue. The other KMS policy I am talking about is used by SecretsManager. Since the secrets lives in ANOTHER_ACCOUNT we also need to allow the |
What does it mean to "allows |
No problem. Have a look here: https://docs.aws.amazon.com/kms/latest/developerguide/services-secrets-manager.html#asm-encrypt. Since KMS in the OTHER_ACCOUNT handles encryption and decryption for a secret in the OTHER_ACCOUNT a call to their KMS service is needed when someone tries to get the secret. :) |
Right. But those talk about specific Keys that are used to perform the encryption:
I don't see any mention of "allows kms:Decrypt on their account" that you mentioned above. |
Yeah I see what you mean. Let me get more specific and reference the article which is actually talking about cross account access to SecretsManager. |
@skinny85 Any update on this? Can I support you somewhere? |
This is what step 3 contains: {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowGetSecretValue",
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:your-region:Security_Account:secret:DevSecret-??????"
]
},
{
"Sid": "AllowKMSDecrypt",
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:your-region:Security_Account:key/DevSecretCMK_id"
]
}
]
} The permissions are only granted to a single Key, with ARN So, my question is: how is CDK supposed to know that |
That is a good question. One way would be to just the wildcard like this What do you think? |
Here are my takes on the various options:
That's a non-stater (we can't really do these sort of calls, and it would make your infrastructure non-reproducible).
That's not the worst idea! We can check the account in the ARN that we get passed, and if it's different than the account the Project is in, we could grant I'm a little worried about the wide policy, but it's true that it shouldn't be such a big deal for cross-account access...
I guess one potential way we could do it is allow passing an object where only an ARN is allowed now: // today
const project = new codebuild.Project(this, 'Project', {
// other properties...
environmentVariables: {
SECRET: {
value: 'arn:aws:secretsmanager:<secret-region>:<secret-account>:secret:<secret-name>',
type: BuildEnvironmentVariableType.SECRETS_MANAGER,
},
},
});
// tommorow?
const project = new codebuild.Project(this, 'Project', {
// other properties...
environmentVariables: {
SECRET: {
value: {
secret: 'arn:aws:secretsmanager:<secret-region>:<secret-account>:secret:<secret-name>',
key: 'arn:aws:kms:<secert-region>:<secret-account>:key/<key-id>',
},
type: BuildEnvironmentVariableType.SECRETS_MANAGER,
},
},
}); But honestly, I don't love this idea. Just too much strings! It'll be easier to just use the current solution, and then go: const project = new codebuild.Project(this, 'Project', {
// other properties...
environmentVariables: {
SECRET: {
value: 'arn:aws:secretsmanager:<secret-region>:<secret-account>:secret:<secret-name>',
type: BuildEnvironmentVariableType.SECRETS_MANAGER,
},
},
});
const key = kms.Key.fromKeyArn(this, 'Key', 'arn:aws:kms:<secert-region>:<secret-account>:key/<key-id>');
key.grantDecrypt(project); There is one other potential solution that I can see: we can allow passing a const secret = secretsmanager.Secret.fromSecretAttributes(this, 'Secret', {
secretCompleteArn: 'arn:aws:secretsmanager:<secret-region>:<secret-account>:secret:<secret-name>',
encryptionKey: 'arn:aws:kms:<secert-region>:<secret-account>:key/<key-id>',
});
const project = new codebuild.Project(this, 'Project', {
// other properties...
environmentVariables: {
SECRET: {
value: secret,
type: BuildEnvironmentVariableType.SECRETS_MANAGER,
},
},
}); The downside to this solution is that I don't know how you would pass the additional fields that CodeBuild allows for, like Thoughts on this @Kruspe? |
Alright here we go. One thing that crossed my mind is that hard coding the
I had the same worries but right now I think this might be the best way forward. I had the same approach in my mind.
I also totally agree on this. I don't like the idea and also the key rotation would be an issue here. Maybe just stating the fact of adding the
Interesting solution! I quite like it but it comes again with the draw back when you think about So in conclusion I would go with the wild card option personally. Reading the account and region from the secret is easy kmsIamResources.push(Stack.of(principal).formatArn({
service: 'kms',
resource: 'key',
resourceName: '*',
sep: ':',
partition: parsedArn?.partition,
account: parsedArn?.account,
region: parsedArn?.region,
})); And in the end use If you are happy with that solution I could go ahead and create a PR. :) |
A PR would be awesome, thanks! 😃 |
When providing a secretArn for the EnvironmentVariables allow kms:Decrypt action for any key so that CodeBuild is able to get secrets that are stored in different accounts. fixes aws#14043
When providing a secretArn from a another account for the EnvironmentVariables allow kms:Decrypt action for any key. This enables CodeBuild to get the secret without any further policy changes by the user. fixes aws#14043
When providing a secretArn from a another account for the EnvironmentVariables allow kms:Decrypt action for any key. This enables CodeBuild to get the secret without any further policy changes by the user. fixes aws#14043
When providing a secretArn from a another account for the EnvironmentVariables allow kms:Decrypt action for any key. This enables CodeBuild to get the secret without any further policy changes by the user. fixes aws#14043
When providing a secretArn from a another account for the EnvironmentVariables allow kms:Decrypt action for any key. This enables CodeBuild to get the secret without any further policy changes by the user. fixes aws#14043
… decryption (#14226) When providing a secretArn for the EnvironmentVariables allow kms:Decrypt action for any key so that CodeBuild is able to get secrets that are stored in different accounts. fixes #14043 ---- @skinny85 I didn't implement the if statement we talked about to check weither the secret actually lives in another account, since I wasn't able to come up with a good test for that. Any suggestions on this? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
… decryption (aws#14226) When providing a secretArn for the EnvironmentVariables allow kms:Decrypt action for any key so that CodeBuild is able to get secrets that are stored in different accounts. fixes aws#14043 ---- @skinny85 I didn't implement the if statement we talked about to check weither the secret actually lives in another account, since I wasn't able to come up with a good test for that. Any suggestions on this? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
… decryption (aws#14226) When providing a secretArn for the EnvironmentVariables allow kms:Decrypt action for any key so that CodeBuild is able to get secrets that are stored in different accounts. fixes aws#14043 ---- @skinny85 I didn't implement the if statement we talked about to check weither the secret actually lives in another account, since I wasn't able to come up with a good test for that. Any suggestions on this? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Thanks so much for making this fix. I'd appreciate some more documentation though. We were struggling with triggering the And (maybe this should be a separate issue) should it really be required to explicitly set the |
#13706 added support for reading secrets from another account through specifying the secrets ARN. The KMS key would also live in the different account and it would be awesome if we could add the
kms:Decrypt
action to the policy. I am not sure if it would be necessary to check which kms key the secret uses or if the wildcard would suffice here. Meaning would this ressource sufficearn:<SecretPartition>:kms:<SecretRegion>:<SecretAccount>:key/*
?Use Case
When using a secret from another account one get's the error message that
Access to KMS is not allowed
.Makes secrets from another account available within CodeBuild without having to modify the policy.
Proposed Solution
When granting the principal for
secretsmanager:GetSecretValue
we should also add thekms:Decrypt
principal.This is a 🚀 Feature Request
The text was updated successfully, but these errors were encountered: