codepipeline.Artifact's KMS key policy missing statement

[evansgp]

I was using the 'Code Pipeline' example as a base to start from and when the CodePipeline deploy stage runs the created 'LambdaStack' stack fails to deploy the lambda with an error when creating the 'Lambda' resource.

It looks like the issue is that the KMS key used to encrypt the pipeline's artifact bucket does not get a key policy that grants access to the role used by the CloudFormation Deploy configuration (not the role of the action, the RoleArn in the Configuration). It looks like it does have the roles for each action, however. I "fixed" it by manually adding another statement to the KMS key policy:

  {
      "Effect": "Allow",
      "Principal": {
          "AWS": "arn:aws:iam::***:role/PipelineDeployingLambdaSt-PipelineDeployLambdaCFND-2PSOH3NC3C0T"
      },
      "Action": [
          "kms:Decrypt",
          "kms:DescribeKey"
      ],
      "Resource": "*"
  }

I'm filing this as a bug rather than a documentation issue because I can't actually see how I'd get any kind of handle on the created KMS key in order to add to it's policy, it looks like it is all done behind the scenes.

I've copied the doco example into a repo for easier repro: https://github.com/evansgp/pipeline

Reproduction Steps

• Clone https://github.com/evansgp/pipeline and push to a CodeCommit repo called test-repo or adjust pipeline-stack.ts as required.
• npm run build
• cdk deploy PipelineDeployingLambdaStack
• Observe error when the CodePipeline runs the deploy stage
• Add the above statement to the KMS key policy for the PipelineDeployingLambdaSt-PipelineDeployLambdaCFND-*** role
• Delete the LambdaDeploymentStack stack
• Trigger CodePipeline
• Observe success

Error Log

Your access has been denied by S3, please make sure your request credentials have permission to GetObject for pipelinedeployinglambdas-pipelineartifactsbucket2-10tl91h7l6k52/PipelineDeployingLam/LambdaBuil/JL0zh79. S3 Error Code: AccessDenied. S3 Error Message: Access Denied (Service: AWSLambdaInternal; Status Code: 403; Error Code: AccessDeniedException; Request ID: bffb5f70-ae11-4397-b6de-753b30d797ca)

[evansgp]

... well I have figured out how to get a handle on the KMS key:

pipeline.artifactBucket.encryptionKey?.grantDecrypt(deployAction.deploymentRole);

https://github.com/evansgp/pipeline/commit/e552ef3c08ecbe64a2bebedf034d122e6bd51eea

So it's probably just a doco bug.

[skinny85]

Thanks for opening the issue @evansgp . It's not just a documentation bug; it was a problem fixed in #5190 . As you can see, the fix was already merged, and will be released with version 1.19.0, which will be released 2 weeks from now (next week is re:Invent, so we won't be having a release).

[skinny85]

Closing, as this was done in 1.19.0.