cdk-pipelines: Setting CrossAccountKeys with custom bootstrap role causes an error

[biffgaut]

Describe the bug

When CrossAccountKeys is set when creating a cdk-pipelines:CodePipeline construct, and launching the stack with a bootstrapped CDK role that doesn't have Admin privileges, the stack will not launch.

Expected Behavior

The following code should create a CodePipeline and a KMS key later used to encrypt pipeline assets even with a non-default CDK bootstrap role:

    const repo = codecommit.Repository.fromRepositoryArn(this, 'CrossAccountPipeline', `arn:${Aws.PARTITION}:codecommit:us-west-2:123456789012:our-repo`);

    const pipeline = new CodePipeline(this, 'Pipeline', {
      // The pipeline name
      pipelineName: 'TestCrossAccountPipeline',
      crossAccountKeys: true,

       // How it will be built and synthesized
       synth: new ShellStep('Synth', {
         // Where the source can be found
         input: CodePipelineSource.codeCommit(repo, 'mainline'),
         
         // Install dependencies, build and run cdk synth
         commands: [
            'npm install -g aws-cdk', 
            'npm ci',
            'npm run build',
            'npm run test',
            'cdk synth'
         ],
       }),
    });
  }

Current Behavior

When we run the code above, we get the error "The new key policy will not allow you to update the key policy in the future."

The generated CFN template is:

  "PipelineArtifactsBucketEncryptionKeyF5BF0670": {
   "Type": "AWS::KMS::Key",
   "Properties": {
    "KeyPolicy": {
     "Statement": [
      {
       "Action": "kms:*",
       "Effect": "Allow",
       "Principal": {
        "AWS": {
         "Fn::Join": [
          "",
          [
           "arn:",
           {
            "Ref": "AWS::Partition"
           },
           ":iam::123456789012:root"
          ]
         ]
        }
       },
       "Resource": "*"
      }
     ],
     "Version": "2012-10-17"
    }
   },
   "UpdateReplacePolicy": "Delete",
   "DeletionPolicy": "Delete",
   "Metadata": {
    "aws:cdk:path": "CrossAccountPipelinesStack/Pipeline/Pipeline/ArtifactsBucketEncryptionKey/Resource"
   }
  },

The error can be avoided by including CDK bootstrap role as a Principal in the Key Policy, or by giving the CDK bootstrap role Admin privileges, but there is no way to affect the principals in the Key Policy through the CodePipeline class.

Reproduction Steps

Place the code above in a CDK app (any repo can be used), build. Re-bootstrap your environment with a role that doesn't include Admin (it can include AWSKeyManagementServicePowerUser).

npm run build
cdk deploy

The deployment will fail with the policy error.

Possible Solution

As the only to affect this KMS Key and its policy through CodePipeline class is the boolean CrossAccountKeys property, there is no way to pass a key, role or policy into CodePipeline to avoid this error. Short of submitting a PR to aws-cdk, our only path forward seems to be loosening the policy in the CDK Bootstrap Role.

Am I missing another solution?

Additional Information/Context

No response

CDK CLI Version

2.37.0

Framework Version

2.37.0

Node.js Version

16.15.0

OS

iOS

Language

Typescript

Language Version

No response

Other information

No response

[rix0rrr]

I am guessing you don't need full Admin privileges, just kms:PutKeyPolicy.

I suppose the reason is your role has kms:CreateKey but not kms:PutKeyPolicy, and indeed if you ever decided to try and update the key policy via CloudFormation that would fail. You would be allowed to create the key, but never change it again afterwards.

That seems like a risky configuration, and KMS is correctly picking up on it.

I suppose the ideal situation would be if we could add in a key policy allowing future kms:PutKeyPolicy by the "current principal" at the time we create the key, regardless of who that "current principal" would be (we cannot assume it's the bootstrapped execution role, people might be using the CLI and an arbitrary role to deploy). But I don't know how to do that, and I'm not sure it's possible at all.

More investigation is necessary here.

[dboyd13]

Chiming in here to let you know that I've encountered what I believe to be the same issue.

My understanding is that PutKeyPolicy is a KMS Key policy action, not an IAM policy condition - source. If this were accurate then an IAM Principal that had the AdministratorAccess managed policy attached should theoretically run into the same error as an IAM Principal that had something more specifically scoped to the intent of the action, such as the AWSKeyManagementServicePowerUser managed policy.

My findings are that at this time in order to deploy a CDK Project that includes CrossAccountKeys for a pipeline, one cannot scope-down just the relevant AWS managed IAM policies, and must use AdministratorAccess instead.

CDK: 2.81.0 (build bd920f2)