aws-cdk-lib/aws-s3-deployment: How to set up BucketDeployment when Staging bucket has a different encryption (SSE-KMS)

[AndreySamakhval]

What we have:

• s3 bucket that contains assets for some UI pages. This bucket is encrypted by Amazon S3-managed keys (SSE-S3). Also, we disabled all public access and configured only OAI because this bucket is used as an Origin for the Cloud Front Distribution. Also, we have some other AWS stuff, but it's not related to the question.
• CDK project that deploys AWS Stack:

const assetsBucket = new aws_s3.Bucket(this, 'Assets', {
      versioned: false,
      bucketName: '${this.stackName}-modules',
      encryption: aws_s3.BucketEncryption.S3_MANAGED,  
      removalPolicy: RemovalPolicy.DESTROY,
      autoDeleteObjects: true,
      blockPublicAccess: {
        blockPublicAcls: true,
        blockPublicPolicy: true,
        ignorePublicAcls: true,
        restrictPublicBuckets: true
      }
    });
    new BucketDeployment(this, 'DeployAssets', {
      sources: [
        Source.asset(
          path.join(__dirname, 'assets')
        )
      ],
      destinationBucket: assetsBucket
    });

• After updating to CDK v2 our Staging Bucket (s3://cdk-cdk2-assets-541118981314-us-east-1) has a different Encryption Setup: AWS Key Management Service key (SSE-KMS).

• cdk synth runs without errors

• cdk deploy runs into issues. Logs say:
  download failed: s3://cdk-cdk2-assets-541118981314-us-east-1/9cff4f3ef2c1f2874acc936555e1f100593bafb6583ebc74a546846bc32ab052.zip to ../../tmp/tmp8bb46rrl/ff9bc2e5-176c-41ef-8b60-513f2c3f62f9 An error occurred (AccessDenied) when calling the GetObject operation: The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access.

• If Encryption setup is the same for both s3 buckets (our Assets and Staging) cdk deploy works as expected.

And the question:
How can I configure BucketDeployment to fix this issue?

P.S. I've tried to add kmKeyId (from the Staging Bucket) to the BucketDeployment and it has no effects

[AndreySamakhval]

It was resolved by adding kms:decrypt permissions:

const role = new aws_iam.Role(this, 'BucketDeploymentRole',
    {
      assumedBy: new aws_iam.ServicePrincipal('lambda.amazonaws.com'),
      managedPolicies: [
        new aws_iam.ManagedPolicy(this, 'Policy', {
          statements: [
            new aws_iam.PolicyStatement({
              sid: "kmsPolicy",
              effect: aws_iam.Effect.ALLOW,
              actions: [
                "kms:Decrypt"
              ],
              resources: ["*"],
            })
          ]
        })
      ]
    });
    
    new BucketDeployment(this, 'DeployAssets', {
      sources: [
        Source.asset(
          path.join(__dirname, 'assets')
        )
      ],
      destinationBucket: assetsBucket,
      prune: false,
      distribution: distribution,
      role:role
    });

[github-actions[bot]]

Hello! Reopening this discussion to make it searchable.