aws-kms: missing sign and verify IAM roles

[jonasclaes]

Describe the feature

The AWS KMS service has support for asymmetric keys.

When you want to sign or verify a piece of data against one of these keys, you need access to kms:Sign and/or kms:Verify.

These methods are not implemented at the moment.

Use Case

Signing of data and verifying of data using the AWS KMS service.

Proposed Solution

The grantSign, grantVerify and grantSignVerify methods are implemented in the same way as the current grantEncrypt, grantDecrypt and grantEncryptDecrypt methods.

Other Information

No response

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

CDK version used

2.53.0

Environment details (OS name and version, etc.)

Ubuntu 22.04.1 LTS

[jonasclaes]

Some extra information:
https://github.com/aws/aws-cdk/blob/main/packages/%40aws-cdk/aws-kms/lib/private/perms.ts should get kms:Sign and kms:Verify

https://github.com/aws/aws-cdk/blob/main/packages/%40aws-cdk/aws-kms/lib/key.ts#L14-L63 functions should be implemented here I think

[jonasclaes]

Sign: https://docs.aws.amazon.com/kms/latest/APIReference/API_Sign.html
Verify: https://docs.aws.amazon.com/kms/latest/APIReference/API_Verify.html
Other KMS permissions: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html

[peterwoodworth]

Thanks for the request and the links to documentation @jonasclaes, I see why this would be valuable to have 🙂

You can work around this by adding to the policy documents you wish to modify, or at the least you would be able to use escape hatches to modify any existing policies as well if they don't meet your needs

I am marking this issue as p2, which means that we are unable to work on this immediately.

We use +1s to help prioritize our work, and are happy to revaluate this issue based on community feedback. You can reach out to the cdk.dev community on Slack to solicit support for reprioritization.

Check out our contributing guide if you're interested in contributing yourself - there's a low chance the team will be able to address this soon but we'll try to review a PR

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.