in source/services/tasks/tasks.ts [1152:1204]
async editKmsPolicy(taskId: string, accounts: string[]): Promise<void | ErrorReturn> {
let policy = {};
// Gets KMS policy
try {
let params: AWS.KMS.GetKeyPolicyRequest = {
KeyId: this.masterKmsArn,
PolicyName: 'default' // The only valid name is default.
};
let kmsPollicy = await this.kms.getKeyPolicy(params).promise();
policy = JSON.parse(kmsPollicy.Policy);
} catch (error) {
LOGGER.error(`editKmsPolicy Error: ${JSON.stringify(error)}`);
return Promise.reject(
COMMON_UTIL.getErrorObject('EditKmsPolicyFailure', 500, 'Error occurred while getting KMS policy.', error)
);
}
// Puts the new KMS policy
try {
let statement = (policy['Statement'] as object[]).filter((statement) => statement['Sid'] !== taskId);
statement.push({
Sid: taskId,
Effect: 'Allow',
Principal: {
AWS: [
...
accounts.map((account) => {
return `arn:aws:iam::${account}:root`
})
]
},
Action: [
"kms:Decrypt",
"kms:GenerateDataKey"
],
Resource: [
this.masterKmsArn
]
});
policy['Statement'] = statement;
await this.kms.putKeyPolicy({
KeyId: this.masterKmsArn,
Policy: JSON.stringify(policy),
PolicyName: 'default'
}).promise();
} catch (error) {
LOGGER.error(`editKmsPolicy Error: ${JSON.stringify(error)}`);
return Promise.reject(
COMMON_UTIL.getErrorObject('EditKmsPolicyFailure', 500, 'Error occurred while putting KMS policy.', error)
);
}
}