docs(codepipeline-actions): clarify how to use an encrypted existing Bucket with the S3SourceAction #15310
Conversation
…d S3 source bucket
|
|
There was a problem hiding this comment.
Thanks for the PR @berenddeboer, but the way to do that in the CDK is to specify the Key when importing a Bucket:
const bucket = s3.Bucket.fromBucketAttributes(this, 'Bucket', {
arn: 'arn:aws:s3:...',
encryptionKey: kms.Key.fromKeyArn(stack, 'MyKey', 'arn:aws:kms:...'),
});Now, passing bucket to S3SourceAction will grant the action's Role permissions to use that Key.
(BTW, if you want to customize the permissions a Role for a given Action has, you can always pass in a Role when creating the Action by using the role property of the Action class)
Hope this clears this up!
|
Ah that's great, I completely missed that. Shall I just change my pull request to a documentation update? I.e. giving an example? And would it be better to submit a new pull request for that? |
Feel free to either repurpose this one to only have a documentation update, or close this one, and open a new one - I'm fine with either, whatever is easier for you 🙂. |
|
Linter now fails as I removed the test file change. Is it possible to change the title to a docs update? It seems I can't change the title myself. |
skinny85
changed the title
| If an imported bucket has been encrypted with a custom key, import the | ||
| bucket in your stack with the key as follows: | ||
|
|
||
| ```ts | ||
| const key = kms.Key.fromKeyArn(stack, 'MyKey', 'arn:aws:kms:...'); | ||
| const sourceBucket = s3.Bucket.fromBucketAttributes(this, 'Bucket', { | ||
| BucketName: 'MyBucket', | ||
| encryptionKey: key, | ||
| }); | ||
| const sourceAction = new codepipeline_actions.S3SourceAction({ | ||
| actionName: 'S3Source', | ||
| bucket: sourceBucket, | ||
| bucketKey: 'path/to/file.zip', | ||
| encryptionKey: encryptionKey, | ||
| output: sourceOutput, | ||
| }); | ||
| ``` |
There was a problem hiding this comment.
All of this should be removed.
| * const bucket = s3.Bucket.fromBucketAttributes(this, 'Bucket', { | ||
| * BucketName: 'MyBucket', | ||
| * encryptionKey: kms.Key.fromKeyArn(stack, 'MyKey', 'arn:aws:kms:...'), | ||
| * }); |
There was a problem hiding this comment.
Let's not put code in the docs (remember that CDK is a multi-language environment).
Just mention the Bucket.fromBucketAttributes() method here, and that you should provide the Key there.
Or move these docs to the ReadMe file (those are automatically translated to other languages).
|
Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
…Bucket with the S3SourceAction (aws#15310) If you import an S3 bucket encrypted with a custom key, it's impossible to give the source action role permission to use that key for decryption as far as I could see. I.e. I was not able to access this source action role. By adding `encryptionKey` you can specify it at in the S3 source props, and permissions can then be granted inside this private heavy object. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
If you import an S3 bucket encrypted with a custom key, it's impossible to give the source action role permission to use that key for decryption as far as I could see. I.e. I was not able to access this source action role.
By adding
encryptionKeyyou can specify it at in the S3 source props, and permissions can then be granted inside this private heavy object.By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license