Skip to content

feat(kms): implement .grant methods for Alias.fromAliasName (under feature flag) #34237

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 11 commits into from
Jun 16, 2025
Merged

feat(kms): implement .grant methods for Alias.fromAliasName (under feature flag) #34237

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
b34a989
feat(kms): implement .grant methods for Alias.fromAliasName with kms:…
Apr 24, 2025
4ee04bb
feat(kms): @aws-cdk/kms:applyImportedAliasPermissionsToPrincipal
May 22, 2025
9a9898c
Add compatibilityWithOldBehaviorMd for aws-kms:applyImportedAliasPer…
faridnsh May 24, 2025
51c75a8
Update note about alias grant methods in packages/aws-cdk-lib/aws-kms…
faridnsh May 24, 2025
dfc8bab
Add note to KMS alias grant methods docs
faridnsh May 24, 2025
df4f636
Add notes about @aws-cdk/kms:applyImportedAliasPermissionsToPrincipal…
May 24, 2025
50bd5ce
Fix eslint in aws-cdk-lib/cx-api/lib/features.ts
faridnsh May 28, 2025
ad27f85
Merge branch 'main' into alias-grants
matboros Jun 12, 2025
3649fb9
Fix security guardian for packages/@aws-cdk-testing/framework-integ/t…
faridnsh Jun 13, 2025
c7886f4
Fix kms integ.alias-from-alias-name
faridnsh Jun 13, 2025
b8790c4
Merge branch 'main' into alias-grants
matboros Jun 16, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Add notes about @aws-cdk/kms:applyImportedAliasPermissionsToPrincipal… 
… to docs
  • Loading branch information
@faridnsh
Farid Nouri Neshat authored and faridnsh committed May 27, 2025
commit df4f6368544f35448f738ffc7fa04f28e017c71d
7 changes: 4 additions & 3 deletions packages/aws-cdk-lib/aws-kms/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -91,9 +91,10 @@ const trail = new cloudtrail.Trail(this, 'myCloudTrail', {
});
```

Note that calls to `addToResourcePolicy` method on `myKeyAlias` will be a no-op,
`addAlias` and `aliasTargetKey` will fail and `grant*` methods will not modify the key policy,
as the imported alias does not have a reference to the underlying KMS Key.
Note that calls to `addToResourcePolicy` method on `myKeyAlias` will be a no-op, `addAlias` and `aliasTargetKey` will fail.
The `grant*` methods will not modify the key policy, as the imported alias does not have a reference to the underlying KMS Key.
For the `grant*` methods to modify the principal's IAM policy, the feature flag `@aws-cdk/aws-kms:applyImportedAliasPermissionsToPrincipal`
must be set to `true`. By default, this flag is `false` and `grant*` calls on an imported alias are a no-op.

### Lookup key by alias

Expand Down
6 changes: 5 additions & 1 deletion packages/aws-cdk-lib/aws-kms/lib/alias.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -188,7 +188,11 @@ export class Alias extends AliasBase {
* Import an existing KMS Alias defined outside the CDK app, by the alias name. This method should be used
* instead of 'fromAliasAttributes' when the underlying KMS Key ARN is not available.
* This Alias will not have a direct reference to the KMS Key, so addAlias method is not supported.
* The grant* methods will use the kms:ResourceAliases condition to grant permissions to the specific alias name. They will also only modify the principal policy, not the key resource policy.
*
* If the `@aws-cdk/aws-kms:applyImportedAliasPermissionsToPrincipal` feature flag is set to `true`,
* the grant* methods will use the kms:ResourceAliases condition to grant permissions to the specific alias name.
* They will only modify the principal policy, not the key resource policy.
* Without the feature flag `grant*` methods will be a no-op.
*
* @param scope The parent creating construct (usually `this`).
* @param id The construct's name.
Expand Down