aws_kms: add methods on Alias and IAlias to grant permissions to the Alias instead of the key

[jonnekaunisto]

Describe the feature

In https://github.com/aws/aws-cdk/blob/v2.49.0/packages/@aws-cdk/aws-kms/lib/alias.ts#L159-L162 the grant methods don't do anything, but it is possible to add permissions to just the alias: https://docs.aws.amazon.com/kms/latest/developerguide/alias-authorization.html

This feature request is to do that.

Use Case

We have a key that is not managed by the same CDK package and the easiest way to add access to the key is by using the alias. But we have to do that manually instead of using the grant methods.

Proposed Solution

Not too familiar with this yet

Other Information

No response

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

CDK version used

N/A

Environment details (OS name and version, etc.)

Mac

[peterwoodworth]

Thanks for reporting this @jonnekaunisto,

Our grant methods on IAlias do nothing because there is no key defined on the IAlias. Since the grant methods on Alias require the key, we wouldn't want the same methods on the imported alias to serve a different function. So, I think that these methods should stay the way they are.

However, you raise a good point that you can manage permissions with the Alias instead of the key. My proposal to this problem is to introduce a new set of grant methods which are specifically for granting permissions for the Alias instead of the key. We could introduce these methods to both the Alias and IAlias so that you can still use these methods without importing an Alias.

I am marking this issue as p2, which means that we are unable to work on this immediately.

We use +1s to help prioritize our work, and are happy to revaluate this issue based on community feedback. You can reach out to the cdk.dev community on Slack to solicit support for reprioritization.

Check out our contributing guide if you're interested in contributing yourself - there's a low chance the team will be able to address this soon but we'd be happy to review a PR 🙂