Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feature(kms): Allow Functions to Decrypt Environment Variables #1990

Conversation

chrisoverzero
Copy link
Contributor

...If They Have Been Encrypted

When a Function specifies that its environment variables should be
encrypted by supplying a value for KmsKeyArn, a corresponding
Policy will be generated for that Function's execution Role which
allows it to decrypt the environment variables with that key.
Permissions are restricted so that it should be able to do nothing
else with the key.

Issue #, if available:

#1989

Description of changes:

Checks for presence of KmsKeyArn and creates a corresponding AWS::IAM::Policy for kms:Decrypt on that value with restrictive Conditions.

Description of how you validated changes:

Ran all unit tests and compared generated policy to manually written one from other, earlier projects.

Checklist:

  • Write/update tests
  • make pr passes
  • Update documentation
  • Verify transformed template deploys and application functions as expected

Examples?

Please reach out in the comments, if you want to add an example. Examples will be
added to sam init through https://github.com/awslabs/aws-sam-cli-app-templates/

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

...If They Have Been Encrypted

When a Function specifies that its environment variables should be
encrypted by supplying a value for `KmsKeyArn`, a corresponding
Policy will be generated for that Function's execution Role which
allows it to decrypt the environment variables with that key.
Permissions are restricted so that it should be able to do nothing
else with the key.
@chrisoverzero chrisoverzero force-pushed the feature/environment-variable-decryption-policy branch from f85ea2e to d43fe76 Compare April 13, 2021 19:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants