Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(s3): dependency not added when key alias provided as encryptionKey to bucket #25761

Closed
thbrooks22 opened this issue May 26, 2023 · 2 comments · Fixed by #25822
Closed

(s3): dependency not added when key alias provided as encryptionKey to bucket #25761

thbrooks22 opened this issue May 26, 2023 · 2 comments · Fixed by #25822
Labels
@aws-cdk/aws-kms Related to AWS Key Management @aws-cdk/aws-s3 Related to Amazon S3 bug This issue is a bug. effort/small Small work item – less than a day of effort p1

Comments

@thbrooks22
Copy link

Describe the bug

Our team has an S3 Bucket construct that uses a KMS Alias construct as its (the Bucket's) encryptionKey. When the CDK code is compiled down to CloudFormation, the BucketEncryption.ServerSideEncryptionConfiguration.KMSMasterKeyID compiles down to something like

{
 "Fn::Join": [
  "",
  [
   "arn:",
   {
    "Ref": "AWS::Partition"
   },
   ":kms:<REGION>:<ACCOUNT_ID>:alias/<ALIAS_NAME>"
  ]
 ]
}

instead of something like

{
 "Ref": "<ALIAS_LOGICAL_ID>"
}

which was unexpected.

This impacted us in production in the following way. We had already deployed our Bucket previously, and writes to the Bucket are on the critical path for some of our APIs. We wanted to deploy the Key and corresponding Alias as well, so we did so. However, during the deployment for about 2 minutes, the APIs for which the Bucket is on the critical path were giving Internal Server Errors due to AmazonS3Exception: Alias <ALIAS_ARN> is not found.. We found that this was because, without a logical dependency between Bucket and Alias, the Bucket's encryptionKey was updated before the Alias had been created.

Expected Behavior

We expected the BucketEncryption.ServerSideEncryptionConfiguration.KMSMasterKeyID to compile down to something like

{
 "Ref": "<ALIAS_LOGICAL_ID>"
}

so that there would be a logical dependency between the Bucket and the Alias, which is what you would expect from looking at the CDK code.

Current Behavior

The BucketEncryption.ServerSideEncryptionConfiguration.KMSMasterKeyID compiled down to something like

{
 "Fn::Join": [
  "",
  [
   "arn:",
   {
    "Ref": "AWS::Partition"
   },
   ":kms:<REGION>:<ACCOUNT_ID>:alias/<ALIAS_NAME>"
  ]
 ]
}

instead.

Reproduction Steps

Create a stack consisting only of the following CDK constructs:

const keyPolicy = new PolicyDocument({
  statements: [
    new PolicyStatement({
      sid: 'FooStmt',
      'actions': [
        'kms:Decrypt',
        'kms:GenerateDataKey'
      ],
      principals: [new AnyPrincipal()],
      resources: ['*'],
    })
  ]
})

const key = new Key(this, 'FooBucketKey', {
  enableKeyRotation: true,
  enabled: true,
  policy: keyPolicy,
  removalPolicy: RemovalPolicy.RETAIN
})

const alias = new Alias(this, 'FooBucketKeyAlias', {
  aliasName: 'fooBucketKeyAlias',
  targetKey: key
})

const bucket = new Bucket(this, 'FooBucket', {
  bucketName: 'fooBucket',
  removalPolicy: RemovalPolicy.RETAIN,
  blockPublicAccess: BlockPublicAccess.BLOCK_ALL,
  versioned: true,
  encryption: BucketEncryption.KMS,
  encryptionKey: alias,
  enforceSSL: true
})

Possible Solution

When attaching an IKey to a resource, check if the IKey is an Alias, and if so, compile down to a reference instead of an ARN.

Additional Information/Context

No response

CDK CLI Version

2.14.0

Framework Version

No response

Node.js Version

14.21.3

OS

Amazon Linux 2

Language

Typescript

Language Version

Typescript (4.3.0)

Other information

No response
@thbrooks22 thbrooks22 added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels May 26, 2023
@github-actions github-actions bot added the @aws-cdk/aws-kms Related to AWS Key Management label May 26, 2023
@kaizencc kaizencc changed the title aws-kms: Key Aliases Compile to Raw String Instead of Ref When Attached to Resources (s3): dependency not added when key alias provided as encryptionKey to bucket May 26, 2023
@kaizencc kaizencc added p1 @aws-cdk/aws-s3 Related to Amazon S3 effort/small Small work item – less than a day of effort and removed needs-triage This issue or PR still needs to be triaged. labels May 26, 2023
@rix0rrr
Copy link
Contributor

rix0rrr commented May 30, 2023
edited
Loading

I think we change:

    this.aliasName = this.getResourceNameAttribute(resource.aliasName);

into

    this.aliasName = this.getResourceNameAttribute(resource.ref);

https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-kms/lib/alias.ts/#L227

I suggest we do that, but maybe under a feature flag for safety?

Motivation: resource.aliasName is the value of AliasName property as provided by the user (always a literal string).

resource.ref will be { Ref: MyAlias }, evaluating to the same value (alias name) but having a reference implied.

(This change may break cross-account workflows if people currently are relying on the literal string to make that reference work)

@kaizencc kaizencc mentioned this issue Jun 1, 2023
Merged
@mergify mergify bot closed this as completed in #25822 Jun 2, 2023
mergify bot pushed a commit that referenced this issue Jun 2, 2023
@kaizencc
fix(kms): aliasName references alias itself (under feature flag) (#25822
45734e3 
)

Fixes #25761

The existing behavior was that `alias.aliasName` was always a raw string, so properties like `keyId` and `keyArn` depended on a raw string and not a reference to the alias itself. This behavior is preserved.

Under a new feature flag, `const KMS_ALIAS_NAME_REF = '@aws-cdk/aws-kms:aliasNameRef'`, we instead use a reference to the `aliasName` output itself, which means that properties that depend on `aliasName` now depend on the `alias`. In turn, the `alias` depends on the `key`. This allows the expected behavior where specifying something like `alias.keyArn()` depends on the key.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions
Copy link

github-actions bot commented Jun 2, 2023

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-kms Related to AWS Key Management @aws-cdk/aws-s3 Related to Amazon S3 bug This issue is a bug. effort/small Small work item – less than a day of effort p1
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(kms): aliasName references alias itself (under feature flag) aws/aws-cdk
3 participants
@rix0rrr @kaizencc @thbrooks22