12

I want to create a KMS key using CloudFormation. I want to be able to provide the user executing the cloudformation YAML file (I'll call them "cloudformation-runner"), administrative access to the key they create.

I can setup the IAM policy to provide that user ("cloudformation-runner") access to the KMS Administrative APIs. However, for the user to be able to update/delete the key that was just created, I also need to specify a KeyPolicy that lets them do it. To do this, how can I get the current username ("cloudformation-runner") within the CloudFormation script?

Here is how my template for the KMS key looks, how do I get the current user as the principal?

    MyKey:
          Type: AWS::KMS::Key
          Properties:
            Description: "..."
            KeyPolicy:
              Version: "2012-10-17"
              Id: "MyId"
              Statement:
                -
                  Sid: "Allow administration of the key"
                  Effect: "Allow"
                  Principal:
                    AWS:
                      - # TODO: Get Current User
                  Action:
                    - "kms:Create*"
                    - "kms:Describe*"
                    - "kms:Enable*"
                    - "kms:List*"
                    - "kms:Put*"
                    - "kms:Update*"
                    - "kms:Revoke*"
                    - "kms:Disable*"
                    - "kms:Get*"
                    - "kms:Delete*"
                    - "kms:ScheduleKeyDeletion"
                    - "kms:CancelKeyDeletion"
                  Resource: "*"

I can manually hardcode the ARN for the IAM user. However, that makes the template less portable - as people need to manually update the username within this file.

Maria Ines Parnisari
  • 16,584
  • 9
  • 85
  • 130
Aishwar
  • 9,284
  • 10
  • 59
  • 80
  • 2
    Possible duplicate to https://stackoverflow.com/questions/28727827/how-to-get-username-in-aws-cloudformation-template-file – sayboras Oct 20 '18 at 20:46
  • Possible duplicate of [How to get username in AWS Cloudformation template file?](https://stackoverflow.com/questions/28727827/how-to-get-username-in-aws-cloudformation-template-file) – kdgregory Oct 21 '18 at 15:11

2 Answers2

3

You can't access the current user once it can be an IAM Role running the CloudFormation template instead of an IAM User. But you can pass the username as a parameter.

I would like to give you an example that I think works well for your context:

  1. The "cloudformation-runner" can be a Role instead of a user. This Role can have a policy giving privileges to create KMS keys.
  2. The CloudFormation template can receive the IAM username and key name as parameters. From an IAM username, you can create the user ARN using CF functions.
  3. Besides creating the KMS keys, the parameters can be used to create the IAM policy and attach to the user giving read/write privileges to the newly created key.

That way your key creation process can create the key and give user privileges at the same time.

Anderson Marques
  • 808
  • 8
  • 13
3

Credit to this answer for the idea.

You can pass current user's ARN as CloudFormation parameter:

Parameters:
  ...
  CallingUserArn:
    Description: Calling user ARN
    Type: String

Resources
  KmsKey:
    Type: AWS::KMS::Key
    Properties:
      ...
      KeyPolicy:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              AWS: !Ref CallingUserArn
            ...

aws cloudformation deploy \
  --template-file cloudformation/stack.yml \
  --stack-name my-stack \
  --parameter-overrides CallingUserArn="$(aws sts get-caller-identity --query Arn --output text)"
Max Ivanov
  • 5,695
  • 38
  • 52