CodePipeline: allow alias to be assigned to autogenerated KMS key #2569
Assignees
Labels
@aws-cdk/aws-codepipeline
Related to AWS CodePipeline
feature-request
A feature should be added or improved.
Comments
|
This is solved in #3694 by always creating an |
skinny85
added a commit
that referenced
this issue
Sep 11, 2019
This changes the scaffolding stack logic for the cross-region CodePipelines to include a KMS key and alias as part of it, which are required if an action is simultaneously cross-region and cross-account. We also change to use the KMS key ID instead of the key ARN when rendering the ArtifactStores property. We also add an alias to the default pipeline artifact bucket. This required a bunch of changes to the KMS and S3 modules: * Alias now implements IKey * Added the keyId property to IKey * Added removalPolicy property to Alias * Granting permissions to a key works if the principal belongs to a stack that is a dependent of the key stack * Allow specifying a key when importing a bucket Fixes #52 Concerns #1584 Fixes #2517 Fixes #2569 Concerns #3275 Fixes #3138 Fixes #3388
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
CodePipeline pipelines created by the
codepipeline.Pipelineclass will automatically generate an S3 bucket to store artifacts in and a KMS key (CMK) to encrypt the objects in that bucket, if the bucket isn't specified via theartifactBucketproperty.It would be helpful if one could specify an alias to assign to the autogenerated CMK so that other account users have an indication that the CMK is used for the pipeline. This could also help dissuade administrators from accidentally marking the CMK for expiration, which would render the pipeline unusable.
The text was updated successfully, but these errors were encountered: