Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

@aws-cdk/aws-codepipeline: invoking cross-account lambda requires KMS key #32693

Closed
1 task
mmendelson222 opened this issue Dec 30, 2024 · 4 comments
Closed
1 task

@aws-cdk/aws-codepipeline: invoking cross-account lambda requires KMS key #32693

mmendelson222 opened this issue Dec 30, 2024 · 4 comments
Assignees
@ashishdhingra
Labels
@aws-cdk/aws-codepipeline Related to AWS CodePipeline bug This issue is a bug. closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. p2 response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.

Comments

@mmendelson222
Copy link

Describe the bug

In our use case, a code pipeline deploys CDK based IaC to another account and then invokes a lambda for post-build testing. We are attempting to achieve this through a LambdaInvokeAction.

Older pipelines in our organization generated by CloudFormation achieve this pretty easily.

However, when the action is added to our CDK-generated pipeline, creation of the pipeline fails due to lack of a KMS key on the pipeline's artifact bucket:
image

The lambda does not require S3 access, so this is an artificial requirement. Lambda invocation in another account should NOT trigger a requirement for a KMS key on the bucket account.

Or is there is a workaround that would not require addition of a KMS key?

Regression Issue

  • Select this option if this issue appears to be a regression.

Last Known Working CDK Version

No response

Expected Behavior

Ability to invoke Lambda in a secondary account without having to add a KMS key to our artifact bucket.

Current Behavior

CDK construct requires our artifact bucket to have a KMS key, despite this being unnecessary. See screen shot in description.

Reproduction Steps

  1. Create pipeline with artifact bucket having standard encryption (not KMS)
  2. Add a LambdaInvokeAction which invokes an action in another account.
  3. Update fails with error "Artifact Bucket must have a KMS Key to add cross-account action..." See screenshot for example.

Possible Solution

A way to "opt out" of cross-account KMS requirement if not needed.
...or...
Simply invoking a lambda in a second account does not trigger isCrossAccount in this location:

aws-cdk/packages/aws-cdk-lib/aws-codepipeline/lib/pipeline.ts

Line 911 in b35adf1

if (action.isCrossAccount) {

Additional Information/Context

No response

CDK CLI Version

2.160.0 (build 7a8ae02)

Framework Version

No response

Node.js Version

v20.8.0

OS

Windows 11

Language

TypeScript

Language Version

No response

Other information

No response
@mmendelson222 mmendelson222 added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Dec 30, 2024
@github-actions github-actions bot added the @aws-cdk/aws-codepipeline Related to AWS CodePipeline label Dec 30, 2024
@ashishdhingra ashishdhingra self-assigned this Dec 31, 2024
@ashishdhingra ashishdhingra added p2 investigating This issue is being investigated and/or work is in progress to resolve the issue. and removed needs-triage This issue or PR still needs to be triaged. labels Dec 31, 2024
@ashishdhingra
Copy link
Contributor

ashishdhingra commented Dec 31, 2024
edited
Loading

@mmendelson222 Good afternoon. Thanks for opening the issue. Per Create a pipeline in CodePipeline that uses resources from another AWS account, you must create an AWS Key Management Service (AWS KMS) key to use, add the key to the pipeline, and set up account policies and roles to enable cross-account access. For an AWS KMS key, you can use the key ID, the key ARN, or the alias ARN.

The above error is thrown by check here, which is in place for over an year. LambdaInvokeActionProps also has optional input artifacts property, which would require KMS key for cross account scenario.

Per exception message, you could set crossAccountKeys: true at Pipeline level which would create encryption key automatically per logic here.

Thanks,
Ashish

@ashishdhingra ashishdhingra added response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. and removed investigating This issue is being investigated and/or work is in progress to resolve the issue. labels Dec 31, 2024
@mmendelson222
Copy link
Author

@ashishdhingra thanks for your quick response! Yes I see this behavior. What I would like to do here is to invoke the lambda WITHOUT having to create a KMS key on the artifact bucket.

The documentation you referenced above is helpful and does apply IF the cross-account resource we're trying to access is S3. In this case we are not using S3 - we're just executing a Lambda in the second account.

To execute the Lambda all one should need is the proper roles. In our use case those already in place. But this is nothing to do with KMS, so KMS should not be necessary. Thanks.

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Dec 31, 2024
@ashishdhingra
Copy link
Contributor

ashishdhingra commented Dec 31, 2024
edited
Loading

@ashishdhingra thanks for your quick response! Yes I see this behavior. What I would like to do here is to invoke the lambda WITHOUT having to create a KMS key on the artifact bucket.

The documentation you referenced above is helpful and does apply IF the cross-account resource we're trying to access is S3. In this case we are not using S3 - we're just executing a Lambda in the second account.

To execute the Lambda all one should need is the proper roles. In our use case those already in place. But this is nothing to do with KMS, so KMS should not be necessary. Thanks.

@mmendelson222 Thanks for your response. As mentioned in my previous comment, LambdaInvokeActionProps also has optional input artifacts property, which would require KMS key for cross account scenario. Your use case might be only invoking Lambda, but if the optional input artifacts are provided, then the scenario would fail due to lack of KMS keys. As of now, there is no way to bypass this validation.

Did you try setting crossAccountKeys as true at Pipeline level which would create encryption key automatically for you if not present?

I have added this issue to CDK team project board for inputs.

Thanks,
Ashish

@ashishdhingra ashishdhingra added the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Dec 31, 2024
This was referenced Jan 1, 2025
Open
Open
Open
@github-actions GitHub Actions
Copy link

github-actions bot commented Jan 2, 2025

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

@github-actions github-actions bot added closing-soon This issue will automatically close in 4 days unless further comments are made. closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. and removed closing-soon This issue will automatically close in 4 days unless further comments are made. labels Jan 2, 2025
@github-actions github-actions bot closed this as completed Jan 7, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ashishdhingra ashishdhingra

Labels
@aws-cdk/aws-codepipeline Related to AWS CodePipeline bug This issue is a bug. closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. p2 response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mmendelson222 @ashishdhingra