Custom Resource lambda does not has access to the secret's KMS encryption key #1548
Description
When trying to create an SesSmtpCredentials construct where the target secret has a customer-managed encryption key, the stack fails to deploy with message:
11:26:45 | CREATE_FAILED | AWS::CloudFormation::CustomResource | SMTPSmtpCredentialsLambda8E28161D
Received response status [FAILED] from custom resource. Message returned: Access to KMS is not allowed
Reduced testcase:
import { Key } from 'aws-cdk-lib/aws-kms';
import { Secret } from 'aws-cdk-lib/aws-secretsmanager';
import { SesSmtpCredentials } from '@pepperize/cdk-ses-smtp-credentials';
...
const key = new Key(this, 'Key', {
alias: 'mykey,
});
const secret = new Secret(this, 'Secret', {
secretName: '/mysecret,
encryptionKey: key,
});
new SesSmtpCredentials(this, 'SmtpCredentials', {
userName: 'smtpuser',
secret,
});