fix: KMS access denied errors when downloading the static env file

internal/pkg/cli/deploy/backend.go

@@ -106,6 +106,7 @@ func (d *backendSvcDeployer) stackConfiguration(in *StackRuntimeConfiguration) (
 			Manifest:           d.backendMft,
 			RawManifest:        d.rawMft,
 			ArtifactBucketName: d.resources.S3Bucket,
+			ArtifactKey:        d.resources.KMSKeyARN,
 			RuntimeConfig:      *rc,
 			Addons:             d.addons,
 		})

internal/pkg/cli/deploy/job.go

@@ -109,6 +109,7 @@ func (d *jobDeployer) stackConfiguration(in *StackRuntimeConfiguration) (*jobSta
 			Manifest:           d.jobMft,
 			RawManifest:        d.rawMft,
 			ArtifactBucketName: d.resources.S3Bucket,
+			ArtifactKey:        d.resources.KMSKeyARN,
 			RuntimeConfig:      *rc,
 			Addons:             d.addons,
 		})

internal/pkg/cli/deploy/lbws.go

@@ -169,6 +169,7 @@ func (d *lbWebSvcDeployer) stackConfiguration(in *StackRuntimeConfiguration) (*s
 			Manifest:           d.lbMft,
 			RawManifest:        d.rawMft,
 			ArtifactBucketName: d.resources.S3Bucket,
+			ArtifactKey:        d.resources.KMSKeyARN,
 			RuntimeConfig:      *rc,
 			RootUserARN:        in.RootUserARN,
 			Addons:             d.addons,

internal/pkg/cli/deploy/rdws.go

@@ -153,6 +153,7 @@ func (d *rdwsDeployer) stackConfiguration(in *StackRuntimeConfiguration) (*rdwsS
 			Manifest:           d.rdwsMft,
 			RawManifest:        d.rawMft,
 			ArtifactBucketName: d.resources.S3Bucket,
+			ArtifactKey:        d.resources.KMSKeyARN,
 			RuntimeConfig:      *rc,
 			Addons:             d.addons,
 		})

internal/pkg/cli/deploy/static_site.go

@@ -177,6 +177,7 @@ func (d *staticSiteDeployer) stackConfiguration(in *StackRuntimeConfiguration) (
 		Manifest:           d.staticSiteMft,
 		RawManifest:        d.rawMft,
 		ArtifactBucketName: d.resources.S3Bucket,
+		ArtifactKey:        d.resources.KMSKeyARN,
 		RuntimeConfig:      *rc,
 		RootUserARN:        in.RootUserARN,
 		Addons:             d.addons,

internal/pkg/cli/deploy/worker.go

@@ -186,6 +186,7 @@ func (d *workerSvcDeployer) stackConfiguration(in *StackRuntimeConfiguration) (*
 			Manifest:           d.wsMft,
 			RawManifest:        d.rawMft,
 			ArtifactBucketName: d.resources.S3Bucket,
+			ArtifactKey:        d.resources.KMSKeyARN,
 			RuntimeConfig:      *rc,
 			Addons:             d.addons,
 		})

internal/pkg/deploy/cloudformation/stack/backend_svc.go

@@ -34,6 +34,7 @@ type BackendServiceConfig struct {
 	EnvManifest        *manifest.Environment
 	Manifest           *manifest.BackendService
 	ArtifactBucketName string
+	ArtifactKey        string
 	RawManifest        string
 	RuntimeConfig      RuntimeConfig
 	Addons             NestedStackConfigurer
@@ -55,6 +56,7 @@ func NewBackendService(conf BackendServiceConfig) (*BackendService, error) {
 				app:                conf.App.Name,
 				permBound:          conf.App.PermissionsBoundary,
 				artifactBucketName: conf.ArtifactBucketName,
+				artifactKey:        conf.ArtifactKey,
 				rc:                 conf.RuntimeConfig,
 				image:              conf.Manifest.ImageConfig.Image,
 				rawManifest:        conf.RawManifest,

internal/pkg/deploy/cloudformation/stack/backend_svc_integration_test.go

@@ -98,6 +98,7 @@ func TestBackendService_TemplateAndParamsGeneration(t *testing.T) {
 				},
 				EnvManifest:        envConfig,
 				ArtifactBucketName: "bucket",
+				ArtifactKey:        "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
 				Manifest:           mft.(*manifest.BackendService),
 				RuntimeConfig: stack.RuntimeConfig{
 					ServiceDiscoveryEndpoint: fmt.Sprintf("%s.%s.local", envName, appName),

internal/pkg/deploy/cloudformation/stack/backend_svc_test.go

@@ -680,6 +680,10 @@ func TestBackendService_Parameters(t *testing.T) {
 			ParameterKey:   aws.String(WorkloadEnvFileARNParamKey),
 			ParameterValue: aws.String(""),
 		},
+		{
+			ParameterKey:   aws.String(WorkloadArtifactKeyARNParamKey),
+			ParameterValue: aws.String(""),
+		},
 		{
 			ParameterKey:   aws.String(WorkloadTargetContainerParamKey),
 			ParameterValue: aws.String("frontend"),

internal/pkg/deploy/cloudformation/stack/lb_grpc_web_service_integration_test.go

@@ -86,6 +86,7 @@ func TestGrpcLoadBalancedWebService_Template(t *testing.T) {
 			EnvManifest:        envConfig,
 			Manifest:           v,
 			ArtifactBucketName: "bucket",
+			ArtifactKey:        "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
 			RuntimeConfig: stack.RuntimeConfig{
 				ServiceDiscoveryEndpoint: svcDiscoveryEndpointName,
 				AccountID:                "123456789123",

internal/pkg/deploy/cloudformation/stack/lb_network_web_service_integration_test.go

@@ -106,6 +106,7 @@ func TestNetworkLoadBalancedWebService_Template(t *testing.T) {
 			EnvManifest:        envConfig,
 			Manifest:           v,
 			ArtifactBucketName: "bucket",
+			ArtifactKey:        "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
 			RuntimeConfig: stack.RuntimeConfig{
 				ServiceDiscoveryEndpoint: svcDiscoveryEndpointName,
 				AccountID:                "123456789123",

internal/pkg/deploy/cloudformation/stack/lb_web_service_integration_test.go

@@ -132,6 +132,7 @@ func TestLoadBalancedWebService_TemplateInteg(t *testing.T) {
 			EnvManifest:        envConfig,
 			Manifest:           v,
 			ArtifactBucketName: "bucket",
+			ArtifactKey:        "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
 			RuntimeConfig: stack.RuntimeConfig{
 				ServiceDiscoveryEndpoint: svcDiscoveryEndpointName,
 				AccountID:                "123456789123",

internal/pkg/deploy/cloudformation/stack/lb_web_svc.go

@@ -59,6 +59,7 @@ type LoadBalancedWebServiceConfig struct {
 	RuntimeConfig      RuntimeConfig
 	RootUserARN        string
 	ArtifactBucketName string
+	ArtifactKey        string
 	Addons             NestedStackConfigurer
 	AppHostedZoneID    string
 }
@@ -101,6 +102,7 @@ func NewLoadBalancedWebService(conf LoadBalancedWebServiceConfig,
 				app:                conf.App.Name,
 				permBound:          conf.App.PermissionsBoundary,
 				artifactBucketName: conf.ArtifactBucketName,
+				artifactKey:        conf.ArtifactKey,
 				rc:                 conf.RuntimeConfig,
 				image:              conf.Manifest.ImageConfig.Image,
 				rawManifest:        conf.RawManifest,

internal/pkg/deploy/cloudformation/stack/lb_web_svc_test.go

@@ -552,6 +552,10 @@ func TestLoadBalancedWebService_Parameters(t *testing.T) {
 			ParameterKey:   aws.String(WorkloadEnvFileARNParamKey),
 			ParameterValue: aws.String(""),
 		},
+		{
+			ParameterKey:   aws.String(WorkloadArtifactKeyARNParamKey),
+			ParameterValue: aws.String(""),
+		},
 	}
 	testCases := map[string]struct {
 		httpsEnabled         bool
@@ -966,6 +970,7 @@ func TestLoadBalancedWebService_SerializedParameters(t *testing.T) {
   "Parameters": {
     "AddonsTemplateURL": "",
     "AppName": "phonetool",
+    "ArtifactKeyARN": "",
     "ContainerImage": "111111111111.dkr.ecr.us-west-2.amazonaws.com/phonetool/frontend:manual-bf3678c",
     "ContainerPort": "80",
     "DNSDelegated": "false",

internal/pkg/deploy/cloudformation/stack/rd_web_svc.go

@@ -55,6 +55,7 @@ type RequestDrivenWebServiceConfig struct {
 	Manifest           *manifest.RequestDrivenWebService
 	RawManifest        string
 	ArtifactBucketName string
+	ArtifactKey        string
 	RuntimeConfig      RuntimeConfig
 	Addons             NestedStackConfigurer
 }
@@ -75,6 +76,7 @@ func NewRequestDrivenWebService(cfg RequestDrivenWebServiceConfig) (*RequestDriv
 				app:                cfg.App.Name,
 				permBound:          cfg.App.PermissionsBoundary,
 				artifactBucketName: cfg.ArtifactBucketName,
+				artifactKey:        cfg.ArtifactKey,
 				rc:                 cfg.RuntimeConfig,
 				image:              cfg.Manifest.ImageConfig.Image,
 				rawManifest:        cfg.RawManifest,

internal/pkg/deploy/cloudformation/stack/scheduled_job.go

@@ -92,6 +92,7 @@ type ScheduledJobConfig struct {
 	Env                string
 	Manifest           *manifest.ScheduledJob
 	ArtifactBucketName string
+	ArtifactKey        string
 	RawManifest        string
 	RuntimeConfig      RuntimeConfig
 	Addons             NestedStackConfigurer
@@ -113,6 +114,7 @@ func NewScheduledJob(cfg ScheduledJobConfig) (*ScheduledJob, error) {
 				app:                cfg.App.Name,
 				permBound:          cfg.App.PermissionsBoundary,
 				artifactBucketName: cfg.ArtifactBucketName,
+				artifactKey:        cfg.ArtifactKey,
 				rc:                 cfg.RuntimeConfig,
 				image:              cfg.Manifest.ImageConfig.Image,
 				rawManifest:        cfg.RawManifest,

internal/pkg/deploy/cloudformation/stack/scheduled_job_integration_test.go

@@ -69,6 +69,7 @@ func TestScheduledJob_Template(t *testing.T) {
 		Env:                envName,
 		Manifest:           v,
 		ArtifactBucketName: "bucket",
+		ArtifactKey:        "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
 		RuntimeConfig: stack.RuntimeConfig{
 			ServiceDiscoveryEndpoint: "test.my-app.local",
 			AccountID:                "123456789123",

internal/pkg/deploy/cloudformation/stack/scheduled_job_test.go

@@ -496,6 +496,10 @@ func TestScheduledJob_Parameters(t *testing.T) {
 			ParameterKey:   aws.String(WorkloadEnvFileARNParamKey),
 			ParameterValue: aws.String(""),
 		},
+		{
+			ParameterKey:   aws.String(WorkloadArtifactKeyARNParamKey),
+			ParameterValue: aws.String(""),
+		},
 		{
 			ParameterKey:   aws.String(ScheduledJobScheduleParamKey),
 			ParameterValue: aws.String("cron(0 0 * * ? *)"),
@@ -590,6 +594,7 @@ func TestScheduledJob_SerializedParameters(t *testing.T) {
   "Parameters": {
     "AddonsTemplateURL": "",
     "AppName": "phonetool",
+    "ArtifactKeyARN": "",
     "ContainerImage": "111111111111.dkr.ecr.us-west-2.amazonaws.com/phonetool/frontend:manual-bf3678c",
     "EnvFileARN": "",
     "EnvName": "test",

internal/pkg/deploy/cloudformation/stack/static_site.go

@@ -37,6 +37,7 @@ type StaticSiteConfig struct {
 	RuntimeConfig      RuntimeConfig
 	RootUserARN        string
 	ArtifactBucketName string
+	ArtifactKey        string
 	Addons             NestedStackConfigurer
 	AssetMappingURL    string
 	AppHostedZoneID    string
@@ -69,6 +70,7 @@ func NewStaticSite(cfg *StaticSiteConfig) (*StaticSite, error) {
 			app:                cfg.App.Name,
 			permBound:          cfg.App.PermissionsBoundary,
 			artifactBucketName: cfg.ArtifactBucketName,
+			artifactKey:        cfg.ArtifactKey,
 			rc:                 cfg.RuntimeConfig,
 			rawManifest:        cfg.RawManifest,
 			parser:             fs,
@@ -167,6 +169,10 @@ func (s *StaticSite) Parameters() ([]*cloudformation.Parameter, error) {
 			ParameterKey:   aws.String(WorkloadAddonsTemplateURLParamKey),
 			ParameterValue: aws.String(s.rc.AddonsTemplateURL),
 		},
+		{
+			ParameterKey:   aws.String(WorkloadArtifactKeyARNParamKey),
+			ParameterValue: aws.String(s.wkld.artifactKey),
+		},
 	}, nil
 }
 

internal/pkg/deploy/cloudformation/stack/static_site_integration_test.go

@@ -103,6 +103,7 @@ func TestStaticSiteService_TemplateAndParamsGeneration(t *testing.T) {
 				Region:     "us-west-2",
 			},
 			ArtifactBucketName: "stackset-bucket",
+			ArtifactKey:        "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
 			AssetMappingURL:    "s3://stackset-bucket/mappingfile",
 			RootUserARN:        "arn:aws:iam::123456789123:root",
 			AppHostedZoneID:    "Z00DEF",

internal/pkg/deploy/cloudformation/stack/static_site_test.go

@@ -269,6 +269,10 @@ func TestStaticSite_Parameters(t *testing.T) {
 					ParameterKey:   aws.String(WorkloadAddonsTemplateURLParamKey),
 					ParameterValue: aws.String("mockURL"),
 				},
+				{
+					ParameterKey:   aws.String(WorkloadArtifactKeyARNParamKey),
+					ParameterValue: aws.String("arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"),
+				},
 			},
 		},
 	}
@@ -291,7 +295,8 @@ func TestStaticSite_Parameters(t *testing.T) {
 						Name: aws.String(testEnvName),
 					},
 				},
-				Manifest: testManifest,
+				Manifest:    testManifest,
+				ArtifactKey: "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
 			})
 			require.NoError(t, err)
 
@@ -328,13 +333,15 @@ func TestStaticSite_SerializedParameters(t *testing.T) {
 				"owner": "copilot",
 			},
 		},
+		ArtifactKey: "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
 	})
 	params, err := c.SerializedParameters()
 	require.NoError(t, err)
 	require.Equal(t, params, `{
   "Parameters": {
     "AddonsTemplateURL": "",
     "AppName": "phonetool",
+    "ArtifactKeyARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
     "EnvName": "test",
     "WorkloadName": "frontend"
   },

internal/pkg/deploy/cloudformation/stack/testdata/stacklocal/cf.params.json

@@ -2,6 +2,7 @@
   "Parameters": {
     "AddonsTemplateURL": "",
     "AppName": "my-app",
+    "ArtifactKeyARN": "",
     "ContainerImage": "mockImageURL:latest",
     "ContainerPort": "5000",
     "DNSDelegated": "false",

internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/http-autoscaling-params.json

@@ -11,6 +11,7 @@
 		"LogRetention": "30",
 		"ContainerPort": "8080",
 		"EnvFileARN": "",
+		"ArtifactKeyARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
 		"TargetContainer": "http-autoscaling",
 		"TargetPort": "8080",
 		"RulePath": "http-autoscaling-path",

internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/http-autoscaling-template.yml

@@ -29,6 +29,9 @@ Parameters:
     Description: "URL of the environment file."
     Type: String
     Default: ""
+  ArtifactKeyARN:
+    Type: String
+    Description: 'KMS Key used for encrypting artifacts'
   LogRetention:
     Type: Number
     Default: 30
@@ -153,7 +156,7 @@ Resources:
                 Action:
                   - "kms:Decrypt"
                 Resource:
-                  - !Sub "arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/*"
+                  - !Ref ArtifactKeyARN
         - !If
           # Optional IAM permission required by ECS task def env file
           # https://docs.aws.amazon.com/AmazonECS/latest/developerguide/taskdef-envfiles.html#taskdef-envfiles-iam

internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/http-full-config-params.json

@@ -11,6 +11,7 @@
 		"LogRetention": "30",
 		"ContainerPort": "8080",
 		"EnvFileARN": "",
+		"ArtifactKeyARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
 		"EnvFileARNForfluentbit": "",
 		"TargetContainer": "http-full-config",
 		"TargetPort": "8081",

internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/http-full-config-template.yml

@@ -33,6 +33,9 @@ Parameters:
     Description: "URL of the environment file."
     Type: String
     Default: ""
+  ArtifactKeyARN:
+    Type: String
+    Description: 'KMS Key used for encrypting artifacts'
   LogRetention:
     Type: Number
     Default: 30
@@ -188,7 +191,7 @@ Resources:
                 Action:
                   - "kms:Decrypt"
                 Resource:
-                  - !Sub "arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/*"
+                  - !Ref ArtifactKeyARN
         - !If
           # Optional IAM permission required by ECS task def env file
           # https://docs.aws.amazon.com/AmazonECS/latest/developerguide/taskdef-envfiles.html#taskdef-envfiles-iam

internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/http-only-path-params.json

@@ -11,6 +11,7 @@
 		"LogRetention": "30",
 		"ContainerPort": "8080",
 		"EnvFileARN": "",
+		"ArtifactKeyARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
 		"TargetContainer": "http-only-path",
 		"TargetPort": "8080",
 		"RulePath": "http-only-path-path",

internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/http-only-path-template.yml

@@ -29,6 +29,9 @@ Parameters:
     Description: "URL of the environment file."
     Type: String
     Default: ""
+  ArtifactKeyARN:
+    Type: String
+    Description: 'KMS Key used for encrypting artifacts'
   LogRetention:
     Type: Number
     Default: 30
@@ -153,7 +156,7 @@ Resources:
                 Action:
                   - "kms:Decrypt"
                 Resource:
-                  - !Sub "arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/*"
+                  - !Ref ArtifactKeyARN
         - !If
           # Optional IAM permission required by ECS task def env file
           # https://docs.aws.amazon.com/AmazonECS/latest/developerguide/taskdef-envfiles.html#taskdef-envfiles-iam

internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/https-path-alias-params.json

@@ -11,6 +11,7 @@
 		"LogRetention": "30",
 		"ContainerPort": "80",
 		"EnvFileARN": "",
+		"ArtifactKeyARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
 		"TargetContainer": "https-path-alias",
 		"TargetPort": "80",
 		"RulePath": "https-path-alias-path",

internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/https-path-alias-template.yml

@@ -29,6 +29,9 @@ Parameters:
     Description: 'URL of the environment file.'
     Type: String
     Default: ""
+  ArtifactKeyARN:
+    Type: String
+    Description: 'KMS Key used for encrypting artifacts'
   LogRetention:
     Type: Number
     Default: 30
@@ -137,7 +140,7 @@ Resources:
                 Action:
                   - 'kms:Decrypt'
                 Resource:
-                  - !Sub 'arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/*'
+                  - !Ref ArtifactKeyARN
         - !If
           # Optional IAM permission required by ECS task def env file
           # https://docs.aws.amazon.com/AmazonECS/latest/developerguide/taskdef-envfiles.html#taskdef-envfiles-iam

internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/simple-params-without-port-config.json

@@ -11,6 +11,7 @@
 		"LogRetention": "30",
 		"ContainerPort": "-1",
 		"EnvFileARN": "",
+		"ArtifactKeyARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
 		"TargetContainer": "simple-backend",
 		"TargetPort": "-1"
 	},