fix(scheduler-alpha): too many KMS permissions granted#31923
fix(scheduler-alpha): too many KMS permissions granted#31923mergify[bot] merged 4 commits intoaws:mainfrom
Conversation
|
|
||
| class SomeLambdaTarget implements scheduler.IScheduleTarget { | ||
| public constructor(private readonly fn: lambda.IFunction, private readonly role: iam.IRole) { | ||
| class SomeSqsTarget implements scheduler.IScheduleTarget { |
There was a problem hiding this comment.
Opted to use SQS queue for this test so that we can use ReceiveMessage in the assertions to test the runtime behaviour, without needing to write a Lambda Function.
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
|
Comments on closed issues and PRs are hard for our team to see. |
Issue # (if applicable)
Tracking #31785.
Reason for this change
When customer use a KMS Customer Managed Key (CMK) with the
Scheduleconstruct, the following permissions are added to the scheduler execution role:However, upon testing, having only the
kms:Decryptpermission is enough for the Schedule to invoke the target (Lambda Function as a target was used in the test.).Description of changes
This PR removes the unneeded KMS permissions and updated integ test to verify that the schedule is still able to invoke the target.
Description of how you validated changes
Unit test and integ test.
Checklist
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license
BREAKING CHANGE: Extra KMS permissions are removed from Schedule execution role when KMS key is passed to Schedule.