Skip to content

kms:Decrypt not authorized when adding an existing source bucket with encryption #1556

Description

@creativityjuice

## Description

I have trouble using the serverless-clamscan since I'm using an existing bucket with encryption as source bucket. serverless-clamscan lambda execution role doesn't have kms:Decrypt right for the key used to encrypt my source bucket files.

## Solution ?

Shouldn't that be automatically handled by the lib on addSourceBucket method ? Along with that part of the code:

bucket.grantRead(this._scanFunction);
this._scanFunction.addToRolePolicy(
  new PolicyStatement({
    effect: Effect.ALLOW,
    actions: ['s3:GetObjectTagging', 's3:GetObjectVersionTagging', 's3:PutObjectTagging', 's3:PutObjectVersionTagging'],
    resources: [bucket.arnForObjects('*')],
  }),
);

If you're ok with that, I could make a PR in order to get the key ARN used on that sourceBucket. Then I would use the addToRolePolicy to authorize kms:Decrypt on that key.

Error on Cloudwatch

[ERROR] Exception: 
{
    "source": "serverless-clamscan",
    "input_bucket": "*********",
    "input_key": "************************",
    "status": "ERROR",
    "message": "User: arn:aws:sts::************:assumed-role/*****ClamscanServerles-*****/ClamavStack-ClamscanServerle-***** is not authorized to perform: kms:Decrypt on resource: arn:aws:kms:*:************:key/************** because no identity-based policy allows the kms:Decrypt action"
}

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions