Merge pull request #58 from moj-analytical-services/add-kms-permissions

added kms functionality

.gitignore

@@ -1,2 +1,3 @@
 dist
 __pycache__/
+venv

CHANGELOG.md

@@ -5,6 +5,10 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
+## v4.3.0
+
+- added kms permissions
+
 ## v4.2.2
 
 - updated pypi action for trusted publisher

README.md

@@ -69,6 +69,9 @@ s3:
 
   deny:
     - test_bucket_read_write/sensitive_table/*
+
+kms:
+  - test_kms_key_arn
 ```
 
 Whilst the example json (`iam_config.json`) looks like this:
@@ -93,7 +96,8 @@ Whilst the example json (`iam_config.json`) looks like this:
       "test_bucket_read_write/*",
       "test_bucket_read_only/write_folder/*"
     ]
-  }
+  },
+  "kms": ["test_kms_key_arn"]
 }
 ```
 - **iam_role_name:** The role name of your airflow job; required if you want to run glue jobs or access secrets.
@@ -115,6 +119,10 @@ Whilst the example json (`iam_config.json`) looks like this:
   - **read_write:** A list of s3 paths that the iam_role should be able to access (read and write). Each item in the list should either be a path to a object or finish with `/*` to denote that it can access everything within that directory. _Note the S3 paths don't start with `s3://` in the config._
 
   - **deny:** A list of s3 paths that the iam_role should _not_ be able to access. This should be used to add exceptions to wildcarded access to folders, for example excluding sensitive tables in order to provide basic access to a database. Each item in the list should either be a path to a object or finish with `/*` to denote that it can access everything within that directory. _Note the S3 paths don't start with `s3://` in the config._
+
+- **kms:**: A list of kms arns that the iam_role should be able to access. Can call the DescribeKey, GenerateDataKey, Decrypt, Encrypt and ReEncrypt 
+  operations.
+
 ## How to update
 
 When updating IAM builder, make sure to change the version number in `pyproject.toml` and describe the change in `CHANGELOG.md`.

examples/iam_config.json

@@ -21,5 +21,9 @@
     "deny": [
       "test_bucket_read_write/sensitive_table/*"
     ]
-  }
+  },
+  "kms": [
+    "arn:aws:kms:test_region:test_account:key/test_key",
+    "arn:aws:kms:test_region_2:test_account:key/test_key_2"
+  ]
 }

examples/iam_config.yaml

@@ -23,3 +23,7 @@ s3:
 
   deny:
     - test_bucket_read_write/sensitive_table/*
+
+kms:
+  - arn:aws:kms:test_region:test_account:key/test_key
+  - arn:aws:kms:test_region_2:test_account:key/test_key_2

examples/iam_policy.json

@@ -271,6 +271,21 @@
             "Resource": [
                 "arn:aws:kms:::key/*"
             ]
+        },
+        {
+            "Sid": "kmsPermissions",
+            "Action": [
+                "kms:ReEncrypt*",
+                "kms:GenerateDataKey*",
+                "kms:Encrypt",
+                "kms:DescribeKey",
+                "kms:Decrypt"
+            ],
+            "Effect": "Allow",
+            "Resource": [
+                "arn:aws:kms:test_region:test_account:key/test_key",
+                "arn:aws:kms:test_region_2:test_account:key/test_key_2"
+            ]
         }
     ]
 }

iam_builder/iam_builder.py

@@ -11,6 +11,7 @@
     get_deny_policy,
     get_s3_list_bucket_policy,
     get_secrets,
+    get_kms_permissions
 )
 from iam_builder.iam_schema import validate_iam
 
@@ -90,4 +91,9 @@ def build_iam_policy(config: dict) -> dict:  # noqa: C901
             iam["Statement"].append(secrets_statement)
             iam["Statement"].extend(iam_lookup["decrypt_statement"])
 
+    if "kms" in config:
+        kms_arns = config["kms"]
+        kms_permissions = get_kms_permissions(kms_arns)
+        iam["Statement"].append(kms_permissions)
+
     return iam

iam_builder/schemas/iam_schema.json

@@ -74,6 +74,13 @@
                 }
             }
         },
+        "kms": {
+            "description": "A list of kms key arns that the iam_role should be able to acces.",
+            "type": "array",
+            "items": {
+                "type": "string"
+            }
+        },
         "role_duration_seconds":{
             "description": "Max duration role can be assumed for in seconds",
             "type": "integer"

iam_builder/templates.py

@@ -372,3 +372,18 @@ def get_secrets(iam_role: str, write=False) -> dict:
             ]
         }
     return statement
+
+def get_kms_permissions(kms_arns: list) -> dict:
+    policy = {
+        "Sid": "kmsPermissions",
+        "Action": [
+            "kms:ReEncrypt*",
+            "kms:GenerateDataKey*",
+            "kms:Encrypt",
+            "kms:DescribeKey",
+            "kms:Decrypt"
+        ],
+        "Effect": "Allow",
+        "Resource": kms_arns,
+    }
+    return policy

pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "iam_builder"
-version = "4.2.2"
+version = "4.3.0"
 description = "A lil python package to generate iam policies"
 authors = ["Karik Isichei <[email protected]>"]
 license = "MIT"

tests/expected_policy/all_config.json

@@ -255,6 +255,21 @@
                 "arn:aws:s3:::test_bucket_read_write",
                 "arn:aws:s3:::test_bucket_write_only"
             ]
+        },
+        {
+            "Sid": "kmsPermissions",
+            "Action": [
+                "kms:ReEncrypt*",
+                "kms:GenerateDataKey*",
+                "kms:Encrypt",
+                "kms:DescribeKey",
+                "kms:Decrypt"
+            ],
+            "Effect": "Allow",
+            "Resource": [
+                "arn:aws:kms:test_region:test_account:key/test_key",
+                "arn:aws:kms:test_region_2:test_account:key/test_key_2"
+            ]
         }
     ]
 }

tests/test_config/all_config.yaml

@@ -16,3 +16,7 @@ s3:
   read_write:
     - test_bucket_read_write/*
     - test_bucket_read_only/write_folder/*
+
+kms:
+  - arn:aws:kms:test_region:test_account:key/test_key
+  - arn:aws:kms:test_region_2:test_account:key/test_key_2