Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DynamoDB table: Customer Managed encryption throws KMS key access denied #18616

Closed
amitsharma1729 opened this issue Jan 22, 2022 · 4 comments · Fixed by #18721
Closed

DynamoDB table: Customer Managed encryption throws KMS key access denied #18616

amitsharma1729 opened this issue Jan 22, 2022 · 4 comments · Fixed by #18721
Labels
@aws-cdk/aws-dynamodb Related to Amazon DynamoDB bug This issue is a bug. closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. effort/medium Medium work item – several days of effort p2

Comments

@amitsharma1729
Copy link

amitsharma1729 commented Jan 22, 2022
edited by skinny85
Loading

What is the problem?

Whenever I create a new Table resource in my stack it throws a KMS access denied/Not found exception upon deployment of the CloudFormation stack. The table that I am creating has the following properties:

new Table(this, 'TableRandomId', {
  tableName: 'TemporaryName123',  
  partitionKey: { name: 'employeeName', type: AttributeType.STRING },  
   encryption: TableEncryption.CUSTOMER_MANAGED,
   billingMode: BillingMode.PAY_PER_REQUEST,
   pointInTimeRecovery: true,
   removalPolicy: RemovalPolicy.RETAIN,  
   timeToLiveAttribute: 'expires_at',  
  });

Whenever this resource is on the step of being created it throws following error:

KMS key access denied error: com.amazonaws.services.kms.model.AWSKMSException: The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access. (Service: AWSKMS; Status Code: 400; Error Code: AccessDeniedException; Request ID: *****; Proxy: null) (Service: AmazonDynamoDBv2; Status Code: 400; Error Code: AccessDeniedException; Request ID: ****; Proxy: null)

The only change in my previously successful deploying stack is addition of a new table, that's it!

Reproduction Steps

Create a table with CustomerManaged encryption.

What did you expect to happen?

A new table being created without any issues. Or at-least a more descriptive error message :)

What actually happened?

KMS access denied or not found, failing the table creation.

CDK CLI Version

1.109.0 (build c647e38)

Framework Version

No response

Node.js Version

14.x

OS

macOS BigSur 11.6.2

Language

Typescript

Language Version

4.3.2

Other information

No response
@amitsharma1729 amitsharma1729 added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jan 22, 2022
@github-actions github-actions bot added the @aws-cdk/aws-dynamodb Related to Amazon DynamoDB label Jan 22, 2022
@NGL321 NGL321 added needs-reproduction This issue needs reproduction. p2 and removed needs-triage This issue or PR still needs to be triaged. labels Jan 26, 2022
@rix0rrr
Copy link
Contributor

rix0rrr commented Jan 28, 2022

You need to set the @aws-cdk/aws-kms:defaultKeyPolicies feature flag to true in cdk.json:

{
  "app": "...",
  "context": {
    "@aws-cdk/aws-kms:defaultKeyPolicies": true
  }
}

Or use table.encryptionKey?.addToResourcePolicy() to add the required permissions for using the key to the key policy, as described in Bring your own encryption keys to Amazon DynamoDB
.

@rix0rrr rix0rrr mentioned this issue Jan 28, 2022
Merged
@mergify mergify bot closed this as completed in #18721 Jan 31, 2022
mergify bot pushed a commit that referenced this issue Jan 31, 2022
@rix0rrr
docs(dynamodb): add note around table encryption (#18721)
164d50b 
Whether creating a Table with a custom KMS key succeeds depends
on the permissions on the key. The default permissions are correct,
but only if the appropriate feature flag is set.

Without changing code yet, add the caveat on proper configuration
to the documentation.

Fixes #18616

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

@skinny85
Copy link
Contributor

@rix0rrr shouldn't we handle this in the CDK automatically for you?

@skinny85 skinny85 changed the title DynamodB table: Customer Managed encryption throws KMS key access denied DynamoDB table: Customer Managed encryption throws KMS key access denied Jan 31, 2022
@skinny85 skinny85 reopened this Jan 31, 2022
@skinny85 skinny85 self-assigned this Jan 31, 2022
@NGL321 NGL321 added in-progress This issue is being actively worked on. and removed needs-reproduction This issue needs reproduction. labels Jan 31, 2022
TikiTDO pushed a commit to TikiTDO/aws-cdk that referenced this issue Feb 21, 2022
@rix0rrr @TikiTDO
docs(dynamodb): add note around table encryption (aws#18721)
ba6a6dc 
Whether creating a Table with a custom KMS key succeeds depends
on the permissions on the key. The default permissions are correct,
but only if the appropriate feature flag is set.

Without changing code yet, add the caveat on proper configuration
to the documentation.

Fixes aws#18616

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@skinny85 skinny85 added effort/medium Medium work item – several days of effort and removed in-progress This issue is being actively worked on. labels May 5, 2022
@skinny85 skinny85 removed their assignment May 5, 2022
@github-actions
Copy link

github-actions bot commented May 5, 2023

This issue has not received any attention in 1 year. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

@github-actions github-actions bot added closing-soon This issue will automatically close in 4 days unless further comments are made. closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. and removed closing-soon This issue will automatically close in 4 days unless further comments are made. labels May 5, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-dynamodb Related to Amazon DynamoDB bug This issue is a bug. closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. effort/medium Medium work item – several days of effort p2
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

docs(dynamodb): add note around table encryption aws/aws-cdk
4 participants
@skinny85 @rix0rrr @NGL321 @amitsharma1729