Creation of KMS-keys stacks fails when using dedicated CF-role

[abjoerne]

Describe the bug

Trying to create the Account Pool Stack in the management account.
CloudFormation is initiated from CodePipeline and is assigned a separate role for this task.
When a KMS-key (IsbKmsKeyInnovationSandboxAccountPool0065BC85) is created, it fails with the following error.

Resource handler returned message: "The new key policy will not allow you to update the key policy in the future. (Service: Kms, Status Code: 400, Request ID: <REDACTED>) (SDK Attempt Count: 1)" (RequestToken: <REDACTED>, HandlerErrorCode: InvalidRequest)

To Reproduce

Deploying AccountPool stack with cloudformation from a CICD-pipeline. The CloudFormaiton-stack is running with a separate role.

Expected behavior

Stack and KMS-key being created successfully

Please complete the following information about the solution:

• Version: v1.0.3
• Region: eu-west-1
• Was the solution modified from the version published on this repository? NO

Cloudtrail reports:

    "eventSource": "kms.amazonaws.com",
    "eventName": "CreateKey",
    "awsRegion": "eu-west-1",
    "sourceIPAddress": "cloudformation.amazonaws.com",
    "userAgent": "cloudformation.amazonaws.com",
    "errorCode": "MalformedPolicyDocumentException",
    "errorMessage": "The new key policy will not allow you to update the key policy in the future.",

** Solution
Either add the role being used for creating the stack or add BypassPolicyLockoutSafetyCheck: true for the key

[abjoerne]

Same error for IDC-stack (and likely more?)

[aws-khargita]

Thank you for opening this ticket @abjoerne. We are looking into this.

[aws-khargita]

Apologies for the delay, I have added a task for us to better support pipeline deployments as you described. Will keep you updated.