Cannot determine KMS Key Policy creation with assumed roles

[nis-thac]

Describe what happened

Pulumi will create my KMS Key and its associated Key Policy. Then it will try to get the key policy to verify its creation. This fails. After some investigation, I figured out this.

CloudTrail shows this User Agent: APN/1.0 Pulumi/1.0 Pulumi/1.0 Pulumi-Aws/0.11+compatible (+https://pulumi.com) aws-sdk-go-v2/1.32.8 ua/2.1 os/windows lang/go#1.23.4 md/GOOS#windows md/GOARCH#amd64 api/kms#1.37.11

Doing aws kms get-key-policy --key-id <keyid> --policy-name default manually works.

Pulumi is using my SSO user with an assumed role. The same I used to execute the above command.

How do I fix this?

Sample program

Minimal policy I try to apply:

const key = new aws.kms.Key("my-customer-key", {
        description: 'my customer managed key',
    }
);

const statements = [{
    "Sid": "AllowCurrentUserAndRoleAndRootAdminAccessOnKey",
    "Effect": "Allow",
    "Principal": {
        "AWS": [
            "arn:aws:sts::<account>:assumed-role/AWSReservedSSO_<roleName>_<hash>/<username>",
            "arn:aws:iam::<account>:root",
            "arn:aws:iam::<account>:role/aws-reserved/sso.amazonaws.com/<region>/AWSReservedSSO_<roleName>_<hash>"
        ]
    },
    "Action": "kms:*",
    "Resource": "*"
}];
const policy = {
    Version: '2012-10-17',
    Id: "default",
    Statement: statements,
};
key.id.apply((keyId) => {
  new aws.kms.KeyPolicy("default", {
      keyId: keyId,
      policy: JSON.stringify(policy),
  });
});

Log output

Diagnostics: failed 1 error2/provider2.go:515: sdk.helper_s
aws:kms:KeyPolicy (default):
error: sdk-v2/provider2.go:515: sdk.helper_schema: waiting for KMS Key Policy (6...b) policy update: timeout while waiting for state to become 'TRUE' (last state: 'FALSE', timeout: 10m0s): [email protected]

aws:kms:KeyPolicy (default):
error: 1 error occurred:
* waiting for KMS Key Policy (6...b) policy update: timeout while waiting for state to become 'TRUE' (last state: 'FALSE', timeout: 10m0s)

Affected Resource(s)

KMS Key Policy

Output of pulumi about

CLI
Version 3.148.0
Go Version go1.23.5
Go Compiler gc

Plugins
KIND NAME VERSION
language nodejs 3.148.0

Host
OS Microsoft Windows 10 Pro
Version 10.0.19045 Build 19045
Arch x86_64

This project is written in nodejs: executable='C:\Program Files\nodejs\node.exe' version='v18.20.5'

// Stack info redacted

Backend
Name redacted
URL s3://custom-backend
User redacted
Organizations
Token type personal

warning: Failed to get information about the Pulumi program's dependencies: found redacted\yarn.lock but no yarn executable: unable to find program: yarn.exe

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[nis-thac]

Further investigation reveals that the same problem occurs with any assumed role. Using a 'regular' role/user works. Using this statement fixes the problem too, this is a non-solution however.

{
  "Sid": "AllowAllAccess",
  "Effect": "Allow",
  "Principal": "*",
  "Action": "kms:*",
  "Resource": "*"
}

[corymhall]

@nis-thac when you run aws kms get-key-policy --key-id <keyid> --policy-name default is it returning the policy that you are creating or is it returning the default policy that is created when you create a key? There is an existing issue where if there are any issues with the key policy it will keep trying until it times out and then will just tell you it failed with a timeout error (doesn't let you know it was an invalid policy).

I was able to get your example to work, but one thing I noticed was that the region specified in the AWS SSO role arn needs to be the AWS SSO region, not the region that you are deploying to. The first time I tried I used the region I was deploying to and I got the timeout as well.

arn:aws:iam::<account>:role/aws-reserved/sso.amazonaws.com/<sso_region>/AWSReservedSSO_<roleName>_<hash>