Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws-logs: KMS Policy Not Updated When Using KMS CMK #28304

Open
joel-aws opened this issue Dec 8, 2023 · 2 comments
Open

aws-logs: KMS Policy Not Updated When Using KMS CMK #28304

joel-aws opened this issue Dec 8, 2023 · 2 comments
Labels
@aws-cdk/aws-logs Related to Amazon CloudWatch Logs bug This issue is a bug. effort/small Small work item – less than a day of effort p2

Comments

@joel-aws
Copy link
Contributor

joel-aws commented Dec 8, 2023
edited
Loading

Describe the bug

From reading the docs, using a KMS CMK with a Log Group should involve just passing the key to the Log Group. However, when doing that alone, KMS lacks the required permission to interact with Logs.

Expected Behavior

For the LogGroup Construct to automatically set the required permissions to interact with KMS when a KMS CMK key is passed to it.

Current Behavior

12:58:26 PM | CREATE_FAILED        | AWS::Logs::LogGroup | logs00112233
Resource handler returned message: "The specified KMS key does not exist or is not allowed to be used with Arn 'arn:aws:logs:us-east-1:112233445566:log-group:PythonStack-logs00112233-AABBCCDDEEFF' (Service: CloudWatchLogs, Status Code: 400, Request <...>. HandlerErrorCode: GeneralServiceException)

Reproduction Steps

from aws_cdk import (
    Stack,
    aws_kms as kms,
    aws_logs as logs,
)
from constructs import Construct


class PythonStack(Stack):
    def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
        super().__init__(scope, construct_id, **kwargs)

        key = kms.Key(self, "key")

        log_group = logs.LogGroup(self, "logs", encryption_key=key)

Possible Solution

When passing a KMS CMK to a LogGroup, automatically grant the necessary permissions to the logs.amazonaws.com Service Principal.

Additional Information/Context

No response

CDK CLI Version

2.114.1

Framework Version

No response

Node.js Version

18.16.0

OS

Mac

Language

Python

Language Version

No response

Other information

No response
@joel-aws joel-aws added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Dec 8, 2023
@github-actions github-actions bot added the @aws-cdk/aws-logs Related to Amazon CloudWatch Logs label Dec 8, 2023
@khushail khushail added investigating This issue is being investigated and/or work is in progress to resolve the issue. and removed needs-triage This issue or PR still needs to be triaged. labels Dec 8, 2023
@khushail
Copy link
Contributor

khushail commented Dec 8, 2023

Thanks @joel-aws for reporting this. I am able to reproduce this.

@khushail khushail added p2 effort/small Small work item – less than a day of effort and removed investigating This issue is being investigated and/or work is in progress to resolve the issue. labels Dec 8, 2023
@lpizzinidev lpizzinidev mentioned this issue Dec 10, 2023
Closed
@github-actions github-actions bot mentioned this issue Jan 1, 2024
Closed
@ronkoaveone
Copy link

Me too. Wow only hit on the entire internet for this log message. Thanks very much for the suggestion to grant Service principal logs.amazonaws.com, but I agree, this was not intuitive at all.

@VaidSaraswat VaidSaraswat mentioned this issue Aug 16, 2024
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-logs Related to Amazon CloudWatch Logs bug This issue is a bug. effort/small Small work item – less than a day of effort p2
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(logs): missing KMS key policy statement lpizzinidev/aws-cdk
3 participants
@joel-aws @ronkoaveone @khushail