aws-kms: missing sign and verify IAM roles #23185

jonasclaes · 2022-11-30T21:29:33Z

Describe the feature

The AWS KMS service has support for asymmetric keys.

When you want to sign or verify a piece of data against one of these keys, you need access to kms:Sign and/or kms:Verify.

These methods are not implemented at the moment.

Use Case

Signing of data and verifying of data using the AWS KMS service.

Proposed Solution

The grantSign, grantVerify and grantSignVerify methods are implemented in the same way as the current grantEncrypt, grantDecrypt and grantEncryptDecrypt methods.

Other Information

No response

Acknowledgements

I may be able to implement this feature request
This feature might incur a breaking change

CDK version used

2.53.0

Environment details (OS name and version, etc.)

Ubuntu 22.04.1 LTS

The text was updated successfully, but these errors were encountered:

jonasclaes · 2022-11-30T21:31:47Z

Some extra information:
https://github.com/aws/aws-cdk/blob/main/packages/%40aws-cdk/aws-kms/lib/private/perms.ts should get kms:Sign and kms:Verify

https://github.com/aws/aws-cdk/blob/main/packages/%40aws-cdk/aws-kms/lib/key.ts#L14-L63 functions should be implemented here I think

jonasclaes · 2022-11-30T21:41:08Z

Sign: https://docs.aws.amazon.com/kms/latest/APIReference/API_Sign.html
Verify: https://docs.aws.amazon.com/kms/latest/APIReference/API_Verify.html
Other KMS permissions: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html

peterwoodworth · 2022-12-02T00:01:53Z

Thanks for the request and the links to documentation @jonasclaes, I see why this would be valuable to have 🙂

You can work around this by adding to the policy documents you wish to modify, or at the least you would be able to use escape hatches to modify any existing policies as well if they don't meet your needs

I am marking this issue as p2, which means that we are unable to work on this immediately.

We use +1s to help prioritize our work, and are happy to revaluate this issue based on community feedback. You can reach out to the cdk.dev community on Slack to solicit support for reprioritization.

Check out our contributing guide if you're interested in contributing yourself - there's a low chance the team will be able to address this soon but we'll try to review a PR

github-actions · 2025-01-06T06:42:49Z

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

github-actions · 2025-01-06T06:42:53Z

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

jonasclaes added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Nov 30, 2022

github-actions bot added the @aws-cdk/aws-kms Related to AWS Key Management label Nov 30, 2022

github-actions bot assigned otaviomacedo Nov 30, 2022

peterwoodworth added p2 effort/small Small work item – less than a day of effort and removed needs-triage This issue or PR still needs to be triaged. labels Dec 1, 2022

clementallen mentioned this issue Dec 28, 2024

feat(kms): add sign and verify related grant methods #32681

Merged

1 task

mergify bot closed this as completed in #32681 Jan 6, 2025

mergify bot closed this as completed in 86d2853 Jan 6, 2025

github-actions bot locked as resolved and limited conversation to collaborators Jan 6, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

aws-kms: missing sign and verify IAM roles #23185

aws-kms: missing sign and verify IAM roles #23185

jonasclaes commented Nov 30, 2022

jonasclaes commented Nov 30, 2022

jonasclaes commented Nov 30, 2022

peterwoodworth commented Dec 2, 2022

github-actions bot commented Jan 6, 2025

github-actions bot commented Jan 6, 2025