Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws-stepfunctions-tasks: SNSPublish KMS permissions #32303

Open
1 of 2 tasks
lucacucchetti opened this issue Nov 27, 2024 · 1 comment
Open
1 of 2 tasks

aws-stepfunctions-tasks: SNSPublish KMS permissions #32303

lucacucchetti opened this issue Nov 27, 2024 · 1 comment
Labels
@aws-cdk/aws-stepfunctions-tasks effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2

Comments

@lucacucchetti
Copy link
Contributor

Describe the feature

When using SnsPublish, it would be good if the task included granting the permissions needed for publishing to topics using a CMK.

Use Case

Convenience, furthermore this can sometimes get in the way of creating abstractions, for example needing to create and pass in the StateMachine role where tasks are created, or surface the SNS topic until the role is created.

Proposed Solution

I see there is a place where permissions (in policies) are determined:

aws-cdk/packages/aws-cdk-lib/aws-stepfunctions-tasks/lib/sns/publish.ts

Lines 186 to 192 in 6877c6a

this.taskPolicies = [
new iam.PolicyStatement({
actions: ['sns:Publish'],
resources: [this.props.topic.topicArn],
}),
];
}

I understand the complication would be that the topic does not have its masterKey exposed.

This doesn't seem to be unusual, for example the SQS queue exposes the key used for encryption:

aws-cdk/packages/aws-cdk-lib/aws-sqs/lib/queue.ts

Lines 362 to 363 in 6877c6a

public readonly encryptionMasterKey?: kms.IKey;

So my proposal would be to expose the key in the Topic, and use it to define the taskPolicies.

Having said that, maybe other Tasks such as SendToQueue should also include the relevant EncryptDecrypt permissions.

aws-cdk/packages/aws-cdk-lib/aws-stepfunctions-tasks/lib/sqs/send-to-queue.ts

Lines 88 to 91 in 6877c6a

policyStatements: [new iam.PolicyStatement({
actions: ['sqs:SendMessage'],
resources: [this.queue.queueArn],
})],

Other Information

No response

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

CDK version used

2.167.1

Environment details (OS name and version, etc.)

macOS Sonoma 14.7.1
@lucacucchetti lucacucchetti added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Nov 27, 2024
@ashishdhingra
Copy link
Contributor

At high level, the feature request makes sense. We could expose encryptionMasterKey property in Step function SNS publish task. Also refer Configure KMS permissions for AWS services which states that Several AWS services act as event sources that can send events to Amazon SQS queues. To allow these event sources to work with encrypted queues, you must create a customer managed KMS key and add permissions in the key policy for the service to use the required AWS KMS API methods..

@ashishdhingra ashishdhingra added p2 effort/medium Medium work item – several days of effort and removed needs-triage This issue or PR still needs to be triaged. labels Nov 27, 2024
@github-actions github-actions bot mentioned this issue Dec 1, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-stepfunctions-tasks effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lucacucchetti @ashishdhingra