(bootstrap) FilePublishingRoleDefaultPolicy permission incorrect when FileAssetsBucketKmsKeyId is an ARN value

[jasondbaker]

We use a cross-account KMS key to encrypt CDK S3 buckets. When the ARN for this key is provided as the FileAssetsBucketKmsKeyId parameter value, the template generates an invalid policy statement. The parameter description notes that this can be either a KMS key ID or ARN value.

aws-cdk-cli/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml

Line 542 in a560d1e

- Fn::Sub: arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/${FileAssetsBucketKmsKeyId}