Containers-roadmap: [EKS]: Encryption config with cross-account KMS keys

Created on 6 May 2020  路  5Comments  路  Source: aws/containers-roadmap

Community Note

  • Please vote on this issue by adding a 馃憤 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Which service(s) is this request for?
EKS

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?

I am trying to use a customer-managed KMS key in my security account to encrypt secrets on an eks cluster in my dev account.

I am seeing the following error:

error creating EKS Cluster (dev-eks-0c9qnxnc): InvalidParameterException: The keyArn for encryptionConfig must be owned by caller's account.

To my understanding, this should be possible as documented in the eks code within the aws sdk for go: https://github.com/aws/aws-sdk-go/blob/master/service/eks/api.go#L5287

The role I am using to create the EKS cluster in the dev account has FullAccess privileges in the account and the key policy for the KMS key in the security account grants IAM access to the dev account so the role in the dev account is able to do everything with that key in the security account.

I have tested access by using the role from the dev account to encrypt an arbitrary piece of text using the KMS key from the security account and there were no issues.

This seems like EKS currently simply does not support encryption configs with cross-account KMS keys.

Can you please confirm if this is correct?

Are you currently working around this issue?
I am currently having to disable encryption config.

EKS
Source
picture charlesakalugwu
👍10

Most helpful comment

Closing issue, as this has been deployed

picture mikestef9 on 9 Jul 2020
🎉2

All 5 comments

I contacted AWS Support regarding this issue and they are able to reproduce the issue on their side as well. Here's the excerpt of the communications:

Please refer below updates:
- I have tried to reproduce the issue in my lab using key arn that was created from another account and got similar error message during cluster creation:
     An error occurred (InvalidParameterException) when calling the CreateCluster operation: The keyArn for encryptionConfig must be owned by caller's account. 
- As per documentation in [1] it should be possible to allow ARN of key that was created in another account, provided that access to that CMK is available.
- I have escalated this to backend team for checking if there are any restrictions / possible bugs or any additional instructions that should be included for cross account KMS usage in EKS cluster. I am in follow up with them and will keep you updated on this.
- I understand this is blocking you from creating cluster. I apologize for the inconvenience caused by this issue. As a workaround solution, please try to create and use key from the same cluster creator account if that is a feasible option for your setup. I have verified that it works fine if the key is created and used within same account.

Please allow me to update this case status to "Pending Amazon Action" and I will get back to you when I have more updates.

Have a nice day.

References:
-------------
[1] https://docs.aws.amazon.com/eks/latest/userguide/create-cluster.html

/cc @mhausenblas

charlesakalugwu picture charlesakalugwu on 12 May 2020

Hey @charlesakalugwu thx for reporting, we are in the process of rolling out a fix, and will close this issue when it's complete

mikestef9 picture mikestef9 on 10 Jun 2020
👍1

Thanks @mikestef9! Looking forward to seeing this rolled out. Cheers.

charlesakalugwu picture charlesakalugwu on 10 Jun 2020

Closing issue, as this has been deployed

mikestef9 picture mikestef9 on 9 Jul 2020
🎉2

How we can use cross account CMK (attached with ami/ebs of launch template) with EKS cluster created. EKS cluster gets created with its own Auto Scaling Group & default Service Link Role (AWSServiceRoleForAutoScaling)

we have created our own Custom Service Linked role for Auto Scaling Group (AWSServiceRoleForAutoScaling_XX) & Added it to CMK policy
we want to our EKS cluster get created with Auto Scaling Group & This EKS default Auto Scaling group should use our custom Service Link Role(AWSServiceRoleForAutoScaling_XX)

Is there any way to achieve it by having custom Service Link Role(AWSServiceRoleForAutoScaling_XX) added to CMK Policy?

github4slash picture github4slash on 24 Sep 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

miztch picture miztch  路  3Comments
yinshiua picture yinshiua  路  3Comments
MartinDevillers picture MartinDevillers  路  3Comments
abby-fuller picture abby-fuller  路  3Comments
mineiro picture mineiro  路  3Comments