Skip to content

stepfunctions: ItemReader and ResultWriter do not grant KMS permissions #32144

Open
@BadMagic100

Description

@BadMagic100

Describe the bug

Generally, states added to a state machine will grant all necessary policy permissions to the execution role of the state machine. When using the DistributedMap construct, however, the necessary permissions for working with encrypted buckets are left out.

Regression Issue

  • Select this option if this issue appears to be a regression.

Last Known Working CDK Version

No response

Expected Behavior

The step function should grant necessary KMS permissions on its returned policies.

Current Behavior

The step function does not grant necessary KMS permissions on its returned policies. Example error:

Failed to write a test manifest into the specified output bucket. Access denied. Ensure the correct permissions are added to your state machine's execution role. | Message from S3: User: is not authorized to perform: kms:GenerateDataKey on resource: because no identity-based policy allows the kms:GenerateDataKey action

Reproduction Steps

const inputBucket = new Bucket('DistributedMapInputBucket', {
    encryption: BucketEncryption.KMS,
    enfoceSSL: true
});
const outputBucket = new Bucket('DistributedMapOutputBucket', {
    encryption: BucketEncryption.KMS,
    enfoceSSL: true
});
new StateMachine(this, 'Test', {
    definitionBody: DefinitionBody.fromChainable(new DistributedMap(this, 'Map', {
        itemReader: new S3JsonItemReader({
            bucket: inputBucket,
            key: "some-object"
        }),
        resultWriter: new ResultWriter({
            bucket: outputBucket,
            prefix: "some-prefix"
       }),
    }).itemProcessor(new Pass(this, 'pass'))
});

Possible Solution

ResultWriter and ItemReader should add key read/write actions to their providePolicyStatements (both linked), similar to Bucket.grantRead and Bucket.grantWrite here

Additional Information/Context

No response

CDK CLI Version

2.164.1

Framework Version

No response

Node.js Version

18

OS

macOS

Language

TypeScript

Language Version

No response

Other information

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    @aws-cdk/aws-stepfunctionsRelated to AWS StepFunctionsbugThis issue is a bug.effort/smallSmall work item – less than a day of effortp2

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions