From 9b6555d429136486c2a3db4463c9ded840939c5a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Per=20G=C3=A5rdebrink?= <per.gardebrink@gmail.com>
Date: Sun, 17 Dec 2023 23:05:24 +0000
Subject: [PATCH] Delegate adding principal policy to base principal

When the base principal is an identity principal, we want to add the policy there with the kms:ViaService condition applied.
---
 .../aws-cdk-lib/aws-kms/lib/via-service-principal.ts | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/packages/aws-cdk-lib/aws-kms/lib/via-service-principal.ts b/packages/aws-cdk-lib/aws-kms/lib/via-service-principal.ts
index 370b63145f1b0..85305f2db7a7e 100644
--- a/packages/aws-cdk-lib/aws-kms/lib/via-service-principal.ts
+++ b/packages/aws-cdk-lib/aws-kms/lib/via-service-principal.ts
@@ -11,6 +11,18 @@ export class ViaServicePrincipal extends iam.PrincipalBase {
     this.basePrincipal = basePrincipal ? basePrincipal : new iam.AnyPrincipal();
   }
 
+  public addToPrincipalPolicy(_statement: iam.PolicyStatement): iam.AddToPrincipalPolicyResult {
+    const conditions = Object.assign({}, _statement.conditions);
+
+    if (conditions.StringEquals) {
+      conditions.StringEquals = Object.assign({ 'kms:ViaService': this.serviceName }, conditions.StringEquals);
+    } else {
+      conditions.StringEquals = { 'kms:ViaService': this.serviceName };
+    }
+
+    return this.basePrincipal.addToPrincipalPolicy(_statement.copy({ conditions }));
+  }
+
   public get policyFragment(): iam.PrincipalPolicyFragment {
     // Make a copy of the base policyFragment to add a condition to it
     const base = this.basePrincipal.policyFragment;