From c630bc830c908b192afe5fb78e88aea2380d3600 Mon Sep 17 00:00:00 2001 From: hyeon Date: Wed, 21 Aug 2024 23:35:38 +0900 Subject: [PATCH] Add permission to use adhoc KMS key --- worker/worker_cdk_stack.py | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/worker/worker_cdk_stack.py b/worker/worker_cdk_stack.py index 849ca8f..9f94e5d 100644 --- a/worker/worker_cdk_stack.py +++ b/worker/worker_cdk_stack.py @@ -64,6 +64,14 @@ def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None: resources=[f"arn:aws:kms:{config.region_name}:{config.account_id}:key/{kms_key_id}"] ) ) + resp = ssm.get_parameter(Name=f"{config.stage}_9c_IAP_ADHOC_KMS_KEY_ID", WithDecryption=True) + kms_key_id = resp["Parameter"]["Value"] + role.add_to_policy( + _iam.PolicyStatement( + actions=["kms:GetPublicKey", "kms:Sign"], + resources=[f"arn:aws:kms:{config.region_name}:{config.account_id}:key/{kms_key_id}"] + ) + ) role.add_to_policy( _iam.PolicyStatement( actions=["ssm:GetParameter"],