feat: Add better support for managing access to imported KMS Keys and Secrets Manager Secrets #28360
Conversation
github-actions
bot
added
effort/medium
pergardebrink
force-pushed
the
pergardebrink/kms-alias-secrets
branch
from
43be0f9 to
041bd32
Compare
There was a problem hiding this comment.
The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.
A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.
pergardebrink
changed the title
pergardebrink
force-pushed
the
pergardebrink/kms-alias-secrets
branch
4 times, most recently
from
aadaafc to
574276f
Compare
This will add a new properties to the AliasAttributes, making it possible to import by aliasArn or cross account alias by aliasName with account and region. A new static method called fromAliasArn is a shortcut to fromAliasAttribute with aliasArn specified. Granting access to the alias will create a kms:ResourceAliases condition to the principal if no target key is available. The IAlias interface was missing the aliasArn property
This was most likely a mistake after someone used code from the Bucket construct
When the base principal is an identity principal, we want to add the policy there with the kms:ViaService condition applied.
pergardebrink
force-pushed
the
pergardebrink/kms-alias-secrets
branch
from
574276f to
0458a02
Compare
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
This PR has been in the CHANGES REQUESTED state for 3 weeks, and looks abandoned. To keep this PR from being closed, please continue work on it. If not, it will automatically be closed in a week. |
|
This PR has been deemed to be abandoned, and will be automatically closed. Please create a new PR for these changes if you think this decision has been made in error. |
aws-cdk-automation
added
the
closed-for-staleness
|
The pull request linter fails with the following errors: PRs must pass status checks before we can provide a meaningful review. If you would like to request an exemption from the status checks or clarification on feedback, please leave a comment on this PR containing |
This change introduces the possibility to grant access to secrets and kms keys cross accounts. It also adds support for kms aliases to be used with
kms:ResourceAliasescondition when the key is not available.Changes introduced:
This is my first contribution to CDK and I've read the contribution and design documents, but I am quite sure there's things I'm missing here and probably need some guidance on what tests I might need to add.
Closes #28284 and #23545
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license