Merge pull request #117 from aws-samples/fix/sigv4-urls-to-support-s3-kms-encrypted-buckets

support for s3 kms encrypted buckets

Author: rstrahan

VERSION

@@ -1 +1 @@
-0.2.3
+0.2.4-a

pca-main-nokendra.template

@@ -612,3 +612,9 @@ Outputs:
     Description: PCA admin user
     Value: !Ref AdminUsername
 
+  RolesForKMSKey:
+    Description: When using KMS key to encrypt S3 input/output buckets, KMS key must grant access to these roles.
+    Value: !Join
+      - ', '
+      - - !Sub '${PCAUI.Outputs.RolesForKMSKey}'
+        - !Sub '${PCAServer.Outputs.RolesForKMSKey}'

pca-main.template

@@ -758,3 +758,10 @@ Outputs:
     Description: PCA admin user
     Value: !Ref AdminUsername
 
+  RolesForKMSKey:
+    Description: When using KMS key to encrypt S3 input/output buckets, KMS key must grant access to these roles.
+    Value: !Join
+      - ', '
+      - - !Sub '${PCAUI.Outputs.RolesForKMSKey}'
+        - !Sub '${PCAServer.Outputs.RolesForKMSKey}'
+

pca-server/cfn/lib/bulk.template

@@ -132,3 +132,10 @@ Resources:
           - CloudWatchLogsLogGroup:
               LogGroupArn: !GetAtt LogGroup.Arn
       RoleArn: !GetAtt Role.Arn
+
+Outputs:
+
+  RolesForKMSKey:
+    Value: !Join
+      - ', '
+      - - !Sub '"${BulkMoveFiles.Arn}"'

pca-server/cfn/lib/copy-samples.template

@@ -70,3 +70,10 @@ Resources:
     Properties:
       ServiceToken: !GetAtt CopySamplesFunction.Arn
       SamplesVersion: 0.2
+
+Outputs:
+
+  RolesForKMSKey:
+    Value: !Join
+      - ', '
+      - - !Sub '"${CopySamplesRole.Arn}"'

pca-server/cfn/lib/pca.template

@@ -236,3 +236,13 @@ Resources:
           - CloudWatchLogsLogGroup:
               LogGroupArn: !GetAtt LogGroup.Arn
       RoleArn: !GetAtt Role.Arn
+
+Outputs:
+
+  RolesForKMSKey:
+    Value: !Join
+      - ', '
+      - - !Sub '"${TranscribeLambdaRole.Arn}"'
+        - !Sub '"${TranscribeRole.Arn}"'
+        - !Sub '"${SFProcessTurnRole.Arn}"'
+

pca-server/cfn/lib/trigger.template

@@ -164,3 +164,10 @@ Resources:
           - dynamodb:DeleteItem
           - dynamodb:GetItem
           Resource: !Sub arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${TableName}
+
+Outputs:
+
+  RolesForKMSKey:
+    Value: !Join
+      - ', '
+      - - !Sub '"${FileDropTriggerRole.Arn}"'

pca-server/cfn/pca-server.template

@@ -77,4 +77,15 @@ Resources:
   GlueDatabase:
     Type: AWS::CloudFormation::Stack
     Properties:
-      TemplateURL: lib/glue-database.template
+      TemplateURL: lib/glue-database.template
+
+Outputs:
+
+  RolesForKMSKey:
+    Value: !Join
+      - ', '
+      - - !Sub '${CopySamples.Outputs.RolesForKMSKey}'
+        - !Sub '${Trigger.Outputs.RolesForKMSKey}'
+        - !Sub '${PCA.Outputs.RolesForKMSKey}'
+        - !Sub '${BulkImport.Outputs.RolesForKMSKey}'
+

pca-server/src/copy-samples/copy-samples.py

@@ -12,7 +12,8 @@ def lambda_handler(event, context):
     supportfiles_bucket = os.environ['SUPPORTFILES_BUCKET_NAME']
     input_bucket = os.environ['INPUT_BUCKET_NAME']
     prefix = os.environ['INPUT_BUCKET_RAW_AUDIO']
-    if event['RequestType'] != 'Delete':
+    requestType = event.get('RequestType')
+    if requestType != 'Delete':
         try:
             s3Client = boto3.client('s3')
             # sample entities
@@ -33,4 +34,5 @@ def lambda_handler(event, context):
             print(e)
             responseData["Error"] = f"Exception thrown: {e}"
             status = cfnresponse.FAILED
-    cfnresponse.send(event, context, status, responseData)
+    if requestType:
+        cfnresponse.send(event, context, status, responseData)

pca-ui/cfn/lib/api.template

@@ -198,3 +198,9 @@ Resources:
 Outputs:
   Uri:
     Value: !Sub https://${Api}.execute-api.${AWS::Region}.amazonaws.com/Prod
+
+  RolesForKMSKey:
+    Value: !Join
+      - ', '
+      - - !Sub '"${GetFunctionRole.Arn}"'
+        - !Sub '"${SwapFunctionRole.Arn}"'