Description
Describe the bug
Generally, states added to a state machine will grant all necessary policy permissions to the execution role of the state machine. When using the DistributedMap
construct, however, the necessary permissions for working with encrypted buckets are left out.
Regression Issue
- Select this option if this issue appears to be a regression.
Last Known Working CDK Version
No response
Expected Behavior
The step function should grant necessary KMS permissions on its returned policies.
Current Behavior
The step function does not grant necessary KMS permissions on its returned policies. Example error:
Failed to write a test manifest into the specified output bucket. Access denied. Ensure the correct permissions are added to your state machine's execution role. | Message from S3: User: is not authorized to perform: kms:GenerateDataKey on resource: because no identity-based policy allows the kms:GenerateDataKey action
Reproduction Steps
const inputBucket = new Bucket('DistributedMapInputBucket', {
encryption: BucketEncryption.KMS,
enfoceSSL: true
});
const outputBucket = new Bucket('DistributedMapOutputBucket', {
encryption: BucketEncryption.KMS,
enfoceSSL: true
});
new StateMachine(this, 'Test', {
definitionBody: DefinitionBody.fromChainable(new DistributedMap(this, 'Map', {
itemReader: new S3JsonItemReader({
bucket: inputBucket,
key: "some-object"
}),
resultWriter: new ResultWriter({
bucket: outputBucket,
prefix: "some-prefix"
}),
}).itemProcessor(new Pass(this, 'pass'))
});
Possible Solution
ResultWriter and ItemReader should add key read/write actions to their providePolicyStatements
(both linked), similar to Bucket.grantRead
and Bucket.grantWrite
here
Additional Information/Context
No response
CDK CLI Version
2.164.1
Framework Version
No response
Node.js Version
18
OS
macOS
Language
TypeScript
Language Version
No response
Other information
No response