Support for AWS Service principles in the key policy

Question

Support for AWS Service principles in the key policy

chris3ware opened this issue 2 years ago · 2 comments

Is your request related to a new offering from AWS?

No

Is your request related to a problem? Please describe.

The module only supports AWS principles; some use cases require that a service is permitted to use a key. For example if an SNS topic is encrypted using KMS, the publisher, for example CloudWatch, must be able to use the key.

Describe the solution you'd like.

I'd like to be able to specify the AWS Service principle as an input variable, which adds the appropriate policy for the service.

Describe alternatives you've considered.

Currently using source_policy_documents to specify AWS service principles authorised to us the key. eg:

data "aws_iam_policy_document" "sns_kms" {
  statement {
    sid    = "AllowCloudWatchToUseKey"
    effect = "Allow"

    principals {
      type        = "Service"
      identifiers = ["cloudwatch.amazonaws.com"]
    }

    actions = [
      "kms:GenerateDataKey*",
      "kms:Decrypt"
    ]

    resources = [
      "*"
    ]

    condition {
        test     = "ArnLike"
        variable = "aws:SourceArn"
        values   = ["arn:aws:cloudwatch:${var.region}:${data.aws_caller_identity.current.account_id}:alarm:*"]
      }
   }
}

Additional context

https://aws.amazon.com/blogs/compute/encrypting-messages-published-to-amazon-sns-with-aws-kms/
https://docs.aws.amazon.com/sns/latest/dg/sns-key-management.html#compatibility-with-aws-services

Answer 1 · 2022-10-14T12:54:46.000Z

This issue has been resolved in version 1.2.1 🎉

Answer 2 · 2022-11-14T02:30:52.000Z

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.