Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Recommended policy for KMS controller does not include kms:EnableKeyRotation #2239

Open
j3ffrw opened this issue Jan 14, 2025 · 1 comment
Open

Recommended policy for KMS controller does not include kms:EnableKeyRotation #2239

j3ffrw opened this issue Jan 14, 2025 · 1 comment
Labels
good first issue Denotes an issue ready for a new contributor, according to the "help wanted" guidelines. help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines.

Comments

@j3ffrw
Copy link

j3ffrw commented Jan 14, 2025

Describe the bug
The policy recommended in https://github.com/aws-controllers-k8s/kms-controller/blob/main/config/iam/recommended-inline-policy does not include kms:EnableKeyRotation causing the following error during creation of resource.

"error":"AccessDeniedException: User: arn:aws:sts::77777777777:assumed-role/ack-kms-202501100234234234243243234/234728374242842 is not authorized to perform: kms:EnableKeyRotation on resource: arn:aws:kms:us-west-2:777777777:key/aaaaaaa-bbbb-ccc-ddd-dfasfasdfse434 because no identity-based policy allows the kms:EnableKeyRotation action\n\tstatus code: 400, request id: 2342dsfsdf-fdef-4fe3-94e7-3w4wsfds8834"

Steps to reproduce

  • Deploy ack-kms
  • Deploy key crd
apiVersion: kms.services.k8s.aws/v1alpha1
kind: Key
metadata:
  name: samplekey
  namespace: db
spec:
  description: sample key for secretsmanager
  enableKeyRotation: true
  keySpec: SYMMETRIC_DEFAULT
  keyUsage: ENCRYPT_DECRYPT
  tags:
    - tagKey: Name
      tagValue: sampleykey

Expected outcome
Create key w/ auto key rotation enabled.

Actual result
a partially created key w/ autorotation setting disabled.

Environment
AWS

  • Kubernetes version
  • Using EKS (yes/no), if so version? EKS 1.30
  • AWS service targeted (S3, RDS, etc.) KMS key
@rushmash91
Copy link
Member

Hi @j3ffrw, Thank you for reporting the issue!

Would you be interested in contributing a fix for this? The change would be straightforward - we'd need to add the kms:EnableKeyRotation permission to the recommended inline policy in the config/iam/recommended-inline-policy file.

@rushmash91 rushmash91 added good first issue Denotes an issue ready for a new contributor, according to the "help wanted" guidelines. help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. labels Feb 21, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
good first issue Denotes an issue ready for a new contributor, according to the "help wanted" guidelines. help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@j3ffrw @rushmash91