Skip to content

fix(iam): add kmsKeyArns config option to autogenerated IAM role#756

Open
VirtueMe wants to merge 1 commit intomasterfrom
fix/391_kms-permissions-iam-role
Open

fix(iam): add kmsKeyArns config option to autogenerated IAM role#756
VirtueMe wants to merge 1 commit intomasterfrom
fix/391_kms-permissions-iam-role

Conversation

@VirtueMe
Copy link
Copy Markdown
Collaborator

@VirtueMe VirtueMe commented Apr 10, 2026

Closes #391

Summary

  • Add kmsKeyArns config option at the state machine level — accepts an array of ARN strings or CF intrinsics (Ref, Fn::GetAtt, etc.)
  • Autogenerated IAM role gains kms:Decrypt, kms:Encrypt, kms:ReEncrypt*, kms:GenerateDataKey*, kms:DescribeKey on the specified key ARNs
  • Schema updated to validate the new field; 2 new unit tests added
  • README documents the new option with a usage example

Test plan

  • 541 unit tests pass
  • State machine with kmsKeyArns generates correct KMS statement in IAM role
  • State machine without kmsKeyArns is unaffected

🤖 Generated with Claude Code

@VirtueMe @claude
fix(iam): add kmsKeyArns config option to autogenerated IAM role
92998bd 
Allow users to specify KMS key ARNs at the state machine level so the
plugin adds the required data-key permissions (kms:Decrypt, kms:Encrypt,
kms:ReEncrypt*, kms:GenerateDataKey*, kms:DescribeKey) to the
autogenerated IAM role.

Closes #391

🤖 Generated with Claude Code

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@pkg-pr-new
Copy link
Copy Markdown

pkg-pr-new bot commented Apr 10, 2026

Open in StackBlitz

npm i https://pkg.pr.new/serverless-operations/serverless-step-functions@756

commit: 92998bd

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Autogenerated IAM role for SFN is missing KMS permissions

1 participant

@VirtueMe