Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: KMS access denied errors when downloading the static env file #5514

Merged
merged 11 commits into from
Dec 11, 2023
Merged

fix: KMS access denied errors when downloading the static env file #5514

merged 11 commits into from
Dec 11, 2023

Conversation

bencehornak
Copy link
Contributor

@bencehornak bencehornak commented Dec 1, 2023
edited
Loading

Bug description

Since Copilot 1.32.0 cross account deployments are broken for all services (except static website) due to lacking permissions on the task execution role to perform the kms:Decrypt operation on the required key.

Background

Since #5329 the artifacts are encrypted with a Kms Key, which belongs to the App stack.

Due to the wrong configuration of the ExecutionRole resource if one deploys the workload to a different account than where the app stack is located, the download of the env file fails due to the lacking kms:Decrypt permission on the corresponding key.

https://github.com/bencehornak/copilot-cli/blob/67db7a2d4f94c69c836586f714341e587b1b8220/internal/pkg/template/templates/workloads/partials/cf/executionrole.yml#L39-L43

Note that this policy grants access to all keys in the workload's account (which is not a great practice either, see #4628), which is wrong, considering that the key is located in the app's account.

Fix

The policy was changed to the following:

- Effect: 'Allow'
  Action:
    - 'kms:Decrypt'
  Resource:
    - !Ref ArtifactKeyARN

where ArtifactKeyARN is the ARN of the Kms Key.

TODO

  • There are many failing test cases, because the generated YAML changes. Is there a way to efficiently fix all of these test cases?
  • Would it make sense to add a test case, which prevents this bug in the feature? If yes, how? -> changed some test cases to test if the KMS key ARN gets passed to the stacks

Conclusion

Fixes partially: #4628.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the Apache 2.0 License.

@bencehornak bencehornak requested a review from a team as a code owner December 1, 2023 14:07
@bencehornak bencehornak requested review from KollaAdithya and removed request for a team December 1, 2023 14:07
@bencehornak bencehornak changed the title Fix kms access denied Fix KMS access denied errors when downloading the static env file Dec 1, 2023
@bencehornak-gls
Copy link

This workaround worked for fixing deployments for a Backend Service with Copilot 1.32.0:

- op: replace
  path: /Resources/ExecutionRole/Properties/Policies/0/PolicyDocument/Statement/2/Resource/0
  value: arn:aws:kms:....:key/... # the KMS key's ARN, which you see exported on the app's CloudFormation stack

@iamhopaul123 iamhopaul123 changed the title Fix KMS access denied errors when downloading the static env file fix: KMS access denied errors when downloading the static env file Dec 1, 2023
@github-actions GitHub Actions
Copy link

github-actions bot commented Dec 1, 2023
edited
Loading

🍕 Here are the new binary sizes!

Name New size (kiB) size (kiB) Delta (%)
macOS (amd) 56796 55192 🥺 +2.91
macOS (arm) 57800 56144 🥺 +2.95
linux (amd) 49804 48440 🥺 +2.82
linux (arm) 49088 47744 🥺 +2.82
windows (amd) 46928 45672 🥺 +2.75

@bencehornak
Copy link
Contributor Author

bencehornak commented Dec 2, 2023
edited
Loading

This line might also be buggy

copilot-cli/internal/pkg/template/templates/workloads/partials/cf/instancerole.yml

Line 60 in cce61ba

- !Sub 'arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/*'

UPDATE: yes, it was, fixed it in a later commit.

@codecov-commenter
Copy link

codecov-commenter commented Dec 3, 2023
edited
Loading

Codecov Report

Attention: 5 lines in your changes are missing coverage. Please review.

Comparison is base (f847fef) 70.03% compared to head (6308cf6) 70.04%.
Report is 2 commits behind head on mainline.

Files Patch % Lines
internal/pkg/cli/deploy/backend.go 0.00% 1 Missing ⚠️
internal/pkg/cli/deploy/job.go 0.00% 1 Missing ⚠️
internal/pkg/cli/deploy/lbws.go 0.00% 1 Missing ⚠️
internal/pkg/cli/deploy/rdws.go 0.00% 1 Missing ⚠️
internal/pkg/cli/deploy/worker.go 0.00% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff            @@
##           mainline    #5514   +/-   ##
=========================================
  Coverage     70.03%   70.04%           
=========================================
  Files           302      302           
  Lines         46064    46078   +14     
  Branches        309      309           
=========================================
+ Hits          32263    32277   +14     
- Misses        12234    12237    +3     
+ Partials       1567     1564    -3

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

iamhopaul123
iamhopaul123 approved these changes Dec 3, 2023
View reviewed changes
Copy link
Contributor

@iamhopaul123 iamhopaul123 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome! Thank you for fixing this bug!

...rnal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/http-autoscaling-params.json Outdated
@@ -11,6 +11,7 @@
"LogRetention": "30",
"ContainerPort": "8080",
"EnvFileARN": "",
"ArtifactKeyARN": "",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we in at least one integ test verifying ArtifactKeyARN can be rendered correctly with the app stackset resource info?

iamhopaul123
iamhopaul123 reviewed Dec 3, 2023
View reviewed changes
Copy link
Contributor

@iamhopaul123 iamhopaul123 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be great if you can fix another wrong reference for the KMS key here for the static site. We can have the same ArtifactKeyARN param for consistency and address #5472 🙏

@bencehornak
Copy link
Contributor Author

Sure, will address your points tomorrow, @iamhopaul123

@bencehornak
Copy link
Contributor Author

@iamhopaul123 I believe I have resolved both of your remarks, see my last 2 commits

@iamhopaul123
Copy link
Contributor

@iamhopaul123 I believe I have resolved both of your remarks, see my last 2 commits

Looks good! Thank you!

CaptainCarpensir
CaptainCarpensir approved these changes Dec 11, 2023
View reviewed changes
Copy link
Contributor

@CaptainCarpensir CaptainCarpensir left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes look good to me! Thanks so much for contributing ❤️

@mergify mergify bot merged commit ae710d5 into aws:mainline Dec 11, 2023
12 checks passed
@HoosCoding HoosCoding mentioned this pull request Dec 18, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@iamhopaul123 iamhopaul123 iamhopaul123 approved these changes

@CaptainCarpensir CaptainCarpensir CaptainCarpensir approved these changes

@KollaAdithya KollaAdithya Awaiting requested review from KollaAdithya KollaAdithya is a code owner automatically assigned from aws/aws-ecs-devx

@huanjani huanjani Awaiting requested review from huanjani

Assignees
No one assigned
Labels
None yet
Projects
Sprint 🏃‍♀️
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@bencehornak @bencehornak-gls @codecov-commenter @iamhopaul123 @CaptainCarpensir