-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sns_subscriptions: Breaking change from issue 19796 where an exception was added for code that works #26719
Comments
Thanks for reporting this @MurraySpeight, It appears to me that the AWS managed key for SQS has the proper permissions. Here's the policy for the one in my console (since I can't find the docs for this): {
"Version": "2012-10-17",
"Id": "auto-sqs-1",
"Statement": [
{
"Sid": "Allow access through Simple Queue Service (SQS) for all principals in the account that are authorized to use SQS",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:CreateGrant",
"kms:DescribeKey"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:CallerAccount": "123456789012",
"kms:ViaService": "sqs.us-east-1.amazonaws.com"
}
}
},
{
"Sid": "Allow direct access to key metadata to the account",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
},
"Action": [
"kms:Describe*",
"kms:Get*",
"kms:List*",
"kms:RevokeGrant"
],
"Resource": "*"
}
]
} |
This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled. |
Hi @peterwoodworth, yes this deploys and works as expected. My SQS queue is subscribed to the topic and is receiving events. The DLQ redrive functionality also works and I do not get the message in the console you see - but DLQs aren't relevant to this problem because the exception occurs with just an SQS trying to subscribe to a topic without DLQs configured. |
We also see the same issue after upgrading to 2.89.0 import sns = require('aws-cdk-lib/aws-sns');
import sqs = require('aws-cdk-lib/aws-sqs');
// ...
const failureQueue = new sqs.Queue(this, failureQueueName, {
queueName: failureQueueName,
encryption: sqs.QueueEncryption.KMS_MANAGED,
retentionPeriod: Duration.days(14),
visibilityTimeout: Duration.seconds(60),
});
failureTopic.addSubscription(
new SqsSubscription(failureQueue, {
rawMessageDelivery: true,
})
); FYI: Before the upgrade, the SQS queue was deployed successfully with SSE enabled using SSE-KMS (with master key |
Hey @MurraySpeight Thanks for providing the example! When I deploy your code, it does work. However the queue is actually encrypted with a customer managed key. This is because we silently do this check at the moment: if (encryption !== QueueEncryption.KMS && props.encryptionMasterKey) {
encryption = QueueEncryption.KMS; // KMS is implied by specifying an encryption key
} Can you please confirm for me:
Basically I think being able to specify
Hi @lixx Thanks for providing these details. I cannot get your example to work. |
@peterwoodworth I think the policy is maybe missing permissions for Edit: It tested various policies, and it's the |
@lixx I did some more resource (see post above) and I don't believe this does work. The code snippet you've provided does synth and deploy, but the subscription does not actually work. If you can provide me with more details, I'm happy to investigate further. Until then, I am assuming you've run into a similar situation as @MurraySpeight and will consider the issue fixed with the change in #26884 |
@mrgrain the queues are encrypted with a customer managed key as I believe this is the only way to encrypt when subscribing to a cross-account SNS topic. I have made your suggested change of changing the So my understanding of this issue from your above description is I was incorrectly configuring the queue but pre-v2.89 CDK was silently fixing my mistake by overriding to the I think a warning here would be massively helpful e.g. Thanks for your help resolving this! |
…vided (#26886) In #19796 we added additional validation to sns subscription. For that purpose the Queue `encryptionType` was exposed as a public property. However the PR forgot to take into account that the provided `encryption` property is automatically changed when a `encryptionMasterKey` is provided. This PR ensures that the public `encryptionType` has the correct value. Additionally, adds a warning for an incorrect configuration scenario where `encryptionMasterKey` is provided together with an `encryption` other than QueueEncryption.KMS. This feature was supposed to allow users to simply provide an encryption key and have the encryption type being selected automatically. However it now unintentionally allows for wrong configurations that are silently fixed, e.g. setting QueueEncryption.UNENCRYPTED and providing an encryption key. The warning keeps backwards compatibility, but instructs users to fix their configuration. Closes #26719 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
Describe the bug
Merging of change from issue #19796 has caused a breaking change in my CDK project. Creating new issue to create attention to the problem and quoting comment I put on the closed issue below:
@NGL321 @bmoffatt it looks like this change is preventing my originally working CDK on v2.88 to no longer synth on v2.89.
I am currently using an SSE enabled queue subscribed to a topic and with the necessary IAM privileges mentioned here https://docs.aws.amazon.com/sns/latest/dg/sns-key-management.html#sns-what-permissions-for-sse the CDK was synthing and deploying in CloudFormation without issue. Now that I have upgraded CDK, the code is refusing to synth with this new exception!
Here is what the code I am using looks like:
Expected Behavior
Calling
addSubscription
method on a topic with a subscription to an SSE SQS queue using a customer key to work without exception.Current Behavior
SQS queue encrypted by AWS managed KMS key cannot be used as SNS subscription
exception message thrown when callingaddSubscription
method on a topic with a subscription to an SSE SQS queue using a customer key.Reproduction Steps
Code in main description. Specifically:
Possible Solution
Back out change made on issue #19796
Additional Information/Context
No response
CDK CLI Version
2.89
Framework Version
No response
Node.js Version
18
OS
Linux
Language
Typescript
Language Version
No response
Other information
CDK versions before 2.89 do not have this issue.
The text was updated successfully, but these errors were encountered: