Merge pull request #152 from haoranleo/categorize-explicit-deny-as-user-induced

Categorize explicit deny policy in IAM role as user induced

Author: k8s-ci-robot

pkg/kmsplugin/kms.go

@@ -92,13 +92,15 @@ func ParseError(err error) (errorType KMSErrorType) {
 
 	// AWS SDK Go for KMS does not "yet" define specific error code for a case where a customer specifies the deleted key
 	// "AccessDeniedException" error code may be returned when (1) CMK does not exist (not pending delete),
-	// or (2) corresponding IAM role is not allowed to access the key.
-	// Thus we only want to mark "AccessDeniedException" as user-induced for the case (1).
+	// or (2) user explicitly denied access to the key via resource policy,
+	// or (3) corresponding IAM role is not allowed to access the key.
+	// Thus we only want to mark "AccessDeniedException" as user-induced for the case (1) and (2).
 	// e.g., "AccessDeniedException: The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access."
 	//       or "AccessDeniedException: User xxx is not authorized to perform: xxx on this resource because the resource does not exist in this Region, no resource-based policies allow access, or a resource-based policy explicitly denies access"
+	//       or "AccessDeniedException: User xxx is not authorized to perform: xxx on this resource with an explicit deny in a resource control policy"
 	// KMS service may change the error message, so we do the string match.
 	case "AccessDeniedException":
-		if strings.Contains(ae.ErrorMessage(), "does not exist") {
+		if strings.Contains(ae.ErrorMessage(), "does not exist") || strings.Contains(ae.ErrorMessage(), "explicit deny in a resource control policy") {
 			return KMSErrorTypeUserInduced
 		}
 	// Sometimes this error message is returned as part of KMSInvalidStateException or KMSInternalException

pkg/kmsplugin/kms_test.go

@@ -98,6 +98,11 @@ func TestParseError(t *testing.T) {
 			err:      &mockAPIError{code: "AccessDeniedException", message: "User dummy is not authorized to perform: kms:Decrypt on this resource because the resource does not exist in this Region, no resource-based policies allow access, or a resource-based policy explicitly denies access"},
 			expected: KMSErrorTypeUserInduced,
 		},
+		{
+			name:     "AccessDeniedException caused by explicit deny in resource policy",
+			err:      &mockAPIError{code: "AccessDeniedException", message: "User dummy is not authorized to perform: kms:Decrypt on this resource with an explicit deny in a resource control policy"},
+			expected: KMSErrorTypeUserInduced,
+		},
 		{
 			name:     "Other AccessDeniedException",
 			err:      &mockAPIError{code: "AccessDeniedException", message: "access denied for some other reason"},

pkg/plugin/plugin_test.go

@@ -111,6 +111,19 @@ func TestEncrypt(t *testing.T) {
 			healthErr: true,
 			checkErr:  false,
 		},
+		{
+			input:  plainMessage,
+			ctx:    nil,
+			output: "",
+			err: &smithy.GenericAPIError{
+				Code:    "AccessDeniedException",
+				Message: "User dummy is not authorized to perform: kms:Decrypt on this resource with an explicit deny in a resource control policy",
+				Fault:   0,
+			},
+			errType:   kmsplugin.KMSErrorTypeUserInduced,
+			healthErr: true,
+			checkErr:  false,
+		},
 		{
 			input:  plainMessage,
 			ctx:    nil,

pkg/plugin/plugin_v2_test.go

@@ -103,6 +103,19 @@ func TestEncryptV2(t *testing.T) {
 			healthErr: true,
 			checkErr:  false,
 		},
+		{
+			input:  plainMessage,
+			ctx:    nil,
+			output: "",
+			err: &smithy.GenericAPIError{
+				Code:    "AccessDeniedException",
+				Message: "User dummy is not authorized to perform: kms:Decrypt on this resource with an explicit deny in a resource control policy",
+				Fault:   0,
+			},
+			errType:   kmsplugin.KMSErrorTypeUserInduced,
+			healthErr: true,
+			checkErr:  false,
+		},
 		{
 			input:  plainMessage,
 			ctx:    nil,