Skip to content

feat(kms): implement .grant methods for Alias.fromAliasName (under feature flag) #34237

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 11 commits into from
Jun 16, 2025
Merged

feat(kms): implement .grant methods for Alias.fromAliasName (under feature flag) #34237

merged 11 commits into from
Jun 16, 2025

Conversation

faridnsh
Copy link
Contributor

@faridnsh faridnsh commented Apr 24, 2025
edited
Loading

This uses the kms:ResourceAliases condition to add statements allowing the methods to the principal of the grant.

Issue

Closes #22697

Reason for this change

When using KMS keys cross stacks, it's sometimes difficult to pass KMS key IDs as they are only generated after deployment, however KMS key aliases could be passed instead and most services accept them. Some constructs that accept a KMS Alias, use .grant methods to add permissions to the role that interacts with the KMS key. Before this PR, the .grant methods of Alias.fromAliasName were not implemented.

Description of changes

This PR implements .grant methods for aliases imported via kms.Alias.fromAliasName so when passed to another a L2 construct that uses .grant methods, the required permissions are added to the role. The added statements will contain a kms:ResourceAliases condition that only allows access to the particular KMS key alias name.

Couple of examples where this is useful:

  • Codepipeline construct accepts a S3 bucket for storing artifacts. If this S3 bucket was imported with the KMS key alias being imported as well via kms.Alias.fromAliasName, then this change results in the necessary permission being automatically added to the Codepipeline roles.
  • When .grant methods of imported SNS topics or SQS queues with imported KMS key alias for publishers are used, the necessary permission are added to the publisher roles.

Describe any new or updated permissions being added

.grant methods of Alias.fromAliasName now results in new statements with kms:ResourceAliases condition for that alias.

Description of how you validated changes

Added unit tests and integration tests:

  • packages/@aws-cdk-testing/framework-integ/test/aws-kms/test/integ.alias-from-alias-name.ts
  • packages/aws-cdk-lib/aws-kms/test/alias.test.ts

Deployed my personal project which used Pipelines constructs with imported bucket and kms key from alias and now my pipeline role has correct permissions.

Checklist

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@aws-cdk-automation aws-cdk-automation requested a review from a team April 24, 2025 08:29
@github-actions github-actions bot added beginning-contributor [Pilot] contributed between 0-2 PRs to the CDK effort/small Small work item – less than a day of effort feature-request A feature should be added or improved. p2 labels Apr 24, 2025
@aws-cdk-automation aws-cdk-automation added the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Apr 24, 2025
@github-actions github-actions bot mentioned this pull request May 1, 2025
Open
matboros
matboros reviewed May 20, 2025
View reviewed changes
@faridnsh faridnsh changed the title feat(kms): implement .grant methods for Alias.fromAliasName feat(kms): implement .grant methods for Alias.fromAliasName (under feature flag) May 23, 2025
@faridnsh faridnsh force-pushed the alias-grants branch 3 times, most recently from 76f451a to 5acef15 Compare May 23, 2025 07:51
matboros
matboros reviewed May 23, 2025
View reviewed changes
@matboros
Copy link
Contributor

Sorry, im fairly new to the GH review flow, I missed publishing these comments earlier

@matboros matboros added the needs-security-review Related to feature or issues that needs security review label May 23, 2025
@faridnsh
Copy link
Contributor Author

Thanks @matboros, appreciate your review. I added them along with a few more notes about the flag in README and the method docs. I rebased based on latest main branch that broke the build here.

@matboros
Copy link
Contributor

I requested a security review for this pr.

Farid Nouri Neshat and others added 7 commits May 27, 2025 20:43
matboros
matboros previously approved these changes Jun 12, 2025
View reviewed changes
Copy link
Contributor

@matboros matboros left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Appsec approved

@aws-cdk-automation aws-cdk-automation removed the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Jun 12, 2025
@mergify Mergify
Copy link
Contributor

mergify bot commented Jun 12, 2025

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@matboros matboros removed the needs-security-review Related to feature or issues that needs security review label Jun 12, 2025
@mergify Mergify
Copy link
Contributor

mergify bot commented Jun 12, 2025

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify mergify bot dismissed matboros’s stale review June 12, 2025 13:47

Pull request has been modified.

@aws-cdk-automation aws-cdk-automation added the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Jun 12, 2025
matboros
matboros previously requested changes Jun 13, 2025
View reviewed changes
@faridnsh @matboros
Fix security guardian for packages/@aws-cdk-testing/framework-integ/t…
3649fb9 
…est/aws-kms/test/integ.alias-from-alias-name.ts

Co-authored-by: Matyas Boros <[email protected]>
@mergify mergify bot dismissed matboros’s stale review June 13, 2025 09:52

Pull request has been modified.

@matboros
Copy link
Contributor

Thanks for the quick iteration, unfortunately you will have to run the integ tests locally again, and update the generated template to match the new test code :(

matboros
matboros previously approved these changes Jun 16, 2025
View reviewed changes
Copy link
Contributor

@matboros matboros left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@mergify Mergify
Copy link
Contributor

mergify bot commented Jun 16, 2025

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify Mergify
Copy link
Contributor

mergify bot commented Jun 16, 2025

This pull request has been removed from the queue for the following reason: pull request branch update failed.

The pull request can't be updated.

You should update or rebase your pull request manually. If you do, this pull request will automatically be requeued once the queue conditions match again.
If you think this was a flaky issue, you can requeue the pull request, without updating it, by posting a @mergifyio requeue comment.

@mergify mergify bot dismissed matboros’s stale review June 16, 2025 09:38

Pull request has been modified.

@aws-cdk-automation
Copy link
Collaborator

➡️ PR build request submitted to test-main-pipeline ⬅️

A maintainer must now check the pipeline and add the pr-linter/cli-integ-tested label once the pipeline succeeds.

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: b8790c4
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@matboros matboros added the pr-linter/cli-integ-tested Assert that any CLI changes have been integ tested label Jun 16, 2025
@aws-cdk-automation aws-cdk-automation removed the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Jun 16, 2025
@mergify Mergify
Copy link
Contributor

mergify bot commented Jun 16, 2025

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify mergify bot merged commit 8e19dd6 into aws:main Jun 16, 2025
26 checks passed
@github-actions GitHub Actions
Copy link
Contributor

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jun 16, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@matboros matboros matboros approved these changes

Assignees

@matboros matboros

Labels
beginning-contributor [Pilot] contributed between 0-2 PRs to the CDK effort/small Small work item – less than a day of effort feature-request A feature should be added or improved. p2 pr-linter/cli-integ-tested Assert that any CLI changes have been integ tested
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

aws_kms: add methods on Alias and IAlias to grant permissions to the Alias instead of the key
3 participants
@faridnsh @matboros @aws-cdk-automation