Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can't create env in a different account (not authorized to perform: kms:UntagResource) #1199

Closed
hnrc opened this issue Jul 28, 2020 · 10 comments · Fixed by #1206
Closed

Can't create env in a different account (not authorized to perform: kms:UntagResource) #1199

hnrc opened this issue Jul 28, 2020 · 10 comments · Fixed by #1206
Labels
area/app Issues about applications.

Comments

@hnrc
Copy link
Contributor

hnrc commented Jul 28, 2020
edited
Loading

I tried creating a new environment in a different AWS account but ran into an issue with KMSKey.

Exception=[class software.amazon.awssdk.services.kms.model.KmsException] ErrorCode=[AccessDeniedException], ErrorMessage=[User: arn:aws:sts::123:assumed-role/foo-executionrole/abc-123 is not authorized to perform: kms:UntagResource on resource: arn:aws:kms:eu-central-1:123:key/def-456]

I can see that the key policy on arn:aws:kms:eu-central-1:123:key/def-456 does not allow kms:UntagResource.

{
    "Version": "2012-10-17",
    "Id": "StackSet-sample-java-infrastructure-db3e2f97-ea6a-4a49-9e62-3533e652841a",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123:root"
            },
            "Action": [
                "kms:Create*",
                "kms:Describe*",
                "kms:Enable*",
                "kms:List*",
                "kms:Put*",
                "kms:Update*",
                "kms:Revoke*",
                "kms:Disable*",
                "kms:Get*",
                "kms:Delete*",
                "kms:ScheduleKeyDeletion",
                "kms:CancelKeyDeletion",
                "kms:Tag*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123:root"
            },
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": "*"
        }
    ]
}

CLI version: 0.2.0
@kohidave
Copy link
Contributor

Oh that's definitely odd - we don't try to untag KMS keys. This is happening when you run copilot env init in the linking account part of environment creation?

Did you find this error in the CloudFormation stack?

Thanks for your help, hope we can get this resolved quickly!

@hnrc
Copy link
Contributor Author

hnrc commented Jul 28, 2020

This is happening when you run copilot env init in the linking account part of environment creation?

Here's the exact command I was running:

$ AWS_DEFAULT_REGION=eu-central-1 copilot env init --profile another-account
What is your environment's name? dev
✔ Shared DNS permissions for this application to account 010101.

✔ Created the infrastructure for the dev environment.
- Virtual private cloud on 2 availability zones to hold your services     [Complete]
- Virtual private cloud on 2 availability zones to hold your services     [Complete]
  - Internet gateway to connect the network to the internet               [Complete]
  - Public subnets for internet facing services                           [Complete]
  - Private subnets for services that can't be reached from the internet  [Complete]
  - Routing tables for services to talk with each other                   [Complete]
- ECS Cluster to hold your services                                       [Complete]
- Application load balancer to distribute traffic                         [Complete]
✘ Failed to link account 010101 and region eu-central-1 to application sample-java.

✘ deploy env dev to application sample-java: adding dev environment resources to application: operation 4 for stack set sample-java-infrastructure failed

Did you find this error in the CloudFormation stack?

Aye!

@kohidave
Copy link
Contributor

Super helpful - thank you! A few more questions that maybe you can help me out with. Are you trying to spin up this environment in eu-central-1 (is that why you're using AWS_DEFAULT_REGION?)

Second, which region is the stack sample-java-infrastructure-roles in?

@hnrc
Copy link
Contributor Author

hnrc commented Jul 28, 2020

Are you trying to spin up this environment in eu-central-1 (is that why you're using AWS_DEFAULT_REGION?)

Correct.

which region is the stack sample-java-infrastructure-roles in?

It’s also in eu-central-1.

@efekarakus efekarakus added the area/creds Issues about credentials. label Jul 28, 2020
@kohidave
Copy link
Contributor

kohidave commented Jul 28, 2020
edited
Loading

Ok even more questions for you! (thank you so much for your time! I realize this is super inconvenient for you).

Did you happen to use the additional --resource-tags feature when you set up your app the first time? If you can't remember, you can look at the tags that are part of your CloudFormation stack.

I was able to reproduce it. Let me dig a little deeper and figure out how to help you out!

@kohidave
Copy link
Contributor

kohidave commented Jul 29, 2020
edited
Loading

So after investigating this, I can confirm that adding the kms:UntagResource to the key policy works, but I'm still not sure why CloudFormation thinks it needs to untag resources. In fact, even after adding UntagResource to the KMS key policy, no tags were removed.

Super interesting, I'll reach out to the KMS/CloudFormation team to dive deeper into what's going on (but checking CloudTrail it looks like there are a few empty tag/untag requests... hmm!). In the mean time, there isn't a great remediation story I can help you with. You can add the policy to your KMS key, but that value will be overwritten when the StackSet is updated. I'll fork and build some binaries with a fix patched in that you can use - but I'll have to do that tomorrow.

@hnrc
Copy link
Contributor Author

hnrc commented Jul 29, 2020

Did you happen to use the additional --resource-tags feature when you set up your app the first time?

I did, yep :)

I'll fork and build some binaries with a fix patched in that you can use - but I'll have to do that tomorrow.

No rush. This is just a toy app I'm using to figure out a good workflow. I can just recreate it without the resource tags.

Thank you so much for your support and the work you're doing here. Everything looks very very promising!

@hnrc
Copy link
Contributor Author

hnrc commented Jul 29, 2020

I tried setting everything up from scratch without --resource-tags (and even in another set of AWS accounts) but I weirdly still ran into the same issue with kms:UntagResource.

$ AWS_PROFILE=non-default-profile copilot init --app hello-copilot-001
(...)
All right, you're all set for local development.
Deploy: No

$ AWS_PROFILE=non-default-profile copilot env init --name dev --profile non-default-profile --app hello-copilot-001
(...)
✔ Created environment dev in region eu-central-1 under application hello-copilot-001.

$ AWS_PROFILE=non-default-profile copilot env init --name prod --profile another-profile --app hello-copilot-001
(...)
✘ deploy env prod to application hello-copilot-001: adding prod environment resources to application: operation 3 for stack set hello-copilot-001-infrastructure failed

kohidave added a commit to kohidave/copilot-cli that referenced this issue Jul 29, 2020
@kohidave
fix: add UntagResource permission for KMS key
3c7f0b4 
There seems to be an issue with the current KMS CF resource
that is causing superfluous tag/untag calls. This new permission
fixes that issue.

A customer encountered this issue (aws#1199) when using resource tags,
so I've also updated the e2e tests to include setting resource tags.

In the future, this permission will be useful if we want to support
updating tags at the app level (removing a tag, for example) so it's
not entierly a hack :)
@kohidave kohidave mentioned this issue Jul 29, 2020
Merged
@mergify mergify bot closed this as completed in #1206 Jul 29, 2020
mergify bot pushed a commit that referenced this issue Jul 29, 2020
@kohidave
fix: add UntagResource permission for KMS key (#1206)
42363b3 
There seems to be an issue with the current KMS CF resource
that is causing superfluous tag/untag calls. This new permission
fixes that issue.

A customer encountered this issue (#1199) when using resource tags,
so I've also updated the e2e tests to include setting resource tags.

In the future, this permission will be useful if we want to support
updating tags at the app level (removing a tag, for example) so it's
not entierly a hack :)

Fixes #1199 

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.
@efekarakus efekarakus added area/app Issues about applications. and removed area/creds Issues about credentials. labels Jul 29, 2020
@kohidave
Copy link
Contributor

Thank you for your patience again. So we dug into this - and it looks like this was a recent change introduced to the KMS CloudFormation resource. We spoke with them and they're in the process of fixing it 🎊 Thank you so much in helping us find this!

In the mean time, we've merged our own fix into Copilot.

@hnrc
Copy link
Contributor Author

hnrc commented Jul 29, 2020

Beautiful, thanks @kohidave 🎉

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/app Issues about applications.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: add UntagResource permission for KMS key kohidave/copilot-cli
3 participants
@hnrc @kohidave @efekarakus