Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws-kms: missing sign and verify IAM roles #23185

Open
2 tasks
jonasclaes opened this issue Nov 30, 2022 · 3 comments · May be fixed by #32681
Open
2 tasks

aws-kms: missing sign and verify IAM roles #23185

jonasclaes opened this issue Nov 30, 2022 · 3 comments · May be fixed by #32681
Assignees
@otaviomacedo
Labels
@aws-cdk/aws-kms Related to AWS Key Management effort/small Small work item – less than a day of effort feature-request A feature should be added or improved. p2

Comments

@jonasclaes
Copy link

Describe the feature

The AWS KMS service has support for asymmetric keys.

When you want to sign or verify a piece of data against one of these keys, you need access to kms:Sign and/or kms:Verify.

These methods are not implemented at the moment.

Use Case

Signing of data and verifying of data using the AWS KMS service.

Proposed Solution

The grantSign, grantVerify and grantSignVerify methods are implemented in the same way as the current grantEncrypt, grantDecrypt and grantEncryptDecrypt methods.

Other Information

No response

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

CDK version used

2.53.0

Environment details (OS name and version, etc.)

Ubuntu 22.04.1 LTS
@jonasclaes jonasclaes added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Nov 30, 2022
@github-actions github-actions bot added the @aws-cdk/aws-kms Related to AWS Key Management label Nov 30, 2022
@jonasclaes
Copy link
Author

Some extra information:
https://github.com/aws/aws-cdk/blob/main/packages/%40aws-cdk/aws-kms/lib/private/perms.ts should get kms:Sign and kms:Verify

https://github.com/aws/aws-cdk/blob/main/packages/%40aws-cdk/aws-kms/lib/key.ts#L14-L63 functions should be implemented here I think

@jonasclaes
Copy link
Author

Sign: https://docs.aws.amazon.com/kms/latest/APIReference/API_Sign.html
Verify: https://docs.aws.amazon.com/kms/latest/APIReference/API_Verify.html
Other KMS permissions: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html

@peterwoodworth peterwoodworth added p2 effort/small Small work item – less than a day of effort and removed needs-triage This issue or PR still needs to be triaged. labels Dec 1, 2022
@peterwoodworth
Copy link
Contributor

Thanks for the request and the links to documentation @jonasclaes, I see why this would be valuable to have 🙂

You can work around this by adding to the policy documents you wish to modify, or at the least you would be able to use escape hatches to modify any existing policies as well if they don't meet your needs

I am marking this issue as p2, which means that we are unable to work on this immediately.

We use +1s to help prioritize our work, and are happy to revaluate this issue based on community feedback. You can reach out to the cdk.dev community on Slack to solicit support for reprioritization.

Check out our contributing guide if you're interested in contributing yourself - there's a low chance the team will be able to address this soon but we'll try to review a PR

@clementallen clementallen linked a pull request Dec 28, 2024 that will close this issue
Open
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@otaviomacedo otaviomacedo

Labels
@aws-cdk/aws-kms Related to AWS Key Management effort/small Small work item – less than a day of effort feature-request A feature should be added or improved. p2
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(kms): add sign and verify related grant methods clementallen/aws-cdk
3 participants
@otaviomacedo @jonasclaes @peterwoodworth