[kms] overiding policy default statement #10575
Description
Setting a KMS policy parameter add a statement to the default policy instead of overriding the whole policy.
Reproduction Steps
aws_kms.Key(
self, 'mykey',
policy = aws_iam.PolicyDocument(
statements = [
aws_iam.PolicyStatement(
effect = aws_iam.Effect('ALLOW'),
actions = [ 'kms:*' ],
principals = [ aws_iam.ArnPrincipal('arn:aws:iam::xxxxxxxxxx:root') ]
)
]
)
)
What did you expect to happen?
I was expecting the new KMS policy to be exactly what i set in the policy parameter :
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::xxxxxxxx:root"
},
"Action": "kms:*"
}
]
}
What actually happened?
Instead it was added as a new statement along the default one.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::xxxxxxx:root"
},
"Action": "kms:*"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::xxxxxxxx:root"
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion",
"kms:GenerateDataKey",
"kms:TagResource",
"kms:UntagResource"
],
"Resource": "*"
}
]
}
Environment
- CLI Version : (cdk --version) 1.64.1
- Framework Version: (pip3 list | grep aws-cdk.aws-kms) 1.64.1
- Node.js Version: (node -v) v10.16.3
- **OS : ** (uname -r) 4.14.146-93.123.amzn1.x86_64
- Language (Version): (python --version) Python 3.6.8
This is 🐛 Bug Report