fix(kms): Alias reference incorrectly resolves to underlying Key (#35545)

rix0rrr · web-flow · commit 43ffcff6a509 · 2025-09-22T16:28:22.000Z
Because `IAlias` extends `IKey`, `IAlias` inherits the new `keyRef: KeyReference`. It was originally implemented by referencing the underlying key, but that's wrong: it should reference the alias itself, but using the field names it shares with `IKey`. In fact, we should have introduced a new interface like `IKeyLike` to do this job, but instead we overloaded `IKey` to behave like a hypothetical `IKeyLike`, and `IKeyRef` now inherits this double duty. Therefore, we now make the `IKeyRef` implementation of `Alias` behave like a `IKeyLikeRef`, and satisfy the contract using its own fields. Closes #35543 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
diff --git a/packages/aws-cdk-lib/aws-kms/lib/alias.ts b/packages/aws-cdk-lib/aws-kms/lib/alias.ts
@@ -69,7 +69,13 @@ abstract class AliasBase extends Resource implements IAlias {
   }
 
   public get keyRef(): KeyReference {
-    return this.aliasTargetKey.keyRef;
+    // Not actually referering to the key: `IKeyRef` here is being used as a
+    // hypothetical `IKeyLikeRef`, and we need to return the Alias values using
+    // the Key interface.
+    return {
+      keyArn: this.aliasArn,
+      keyId: this.keyId,
+    };
   }
 
   /**
diff --git a/packages/aws-cdk-lib/aws-kms/lib/key.ts b/packages/aws-cdk-lib/aws-kms/lib/key.ts
@@ -26,6 +26,9 @@ import * as cxapi from '../../cx-api';
 
 /**
  * A KMS Key, either managed by this CDK app, or imported.
+ *
+ * This interface does double duty: it represents an actual KMS keys, but it
+ * also represents things that can behave like KMS keys, like a key alias.
  */
 export interface IKey extends IResource, IKeyRef {
   /**
diff --git a/packages/aws-cdk-lib/aws-kms/test/alias.test.ts b/packages/aws-cdk-lib/aws-kms/test/alias.test.ts
@@ -911,6 +911,19 @@ test('aliasArn should be a valid ARN', () => {
   }, stack));
 });
 
+test('Alias keyRef should reference the Alias, not the underlying key', () => {
+  // GIVEN
+  const app = new App();
+  const stack = new Stack(app, 'Test');
+  const key = new Key(stack, 'Key');
+
+  // WHEN
+  const alias = key.addAlias('alias/foo');
+
+  // THEN
+  expect(alias.keyRef.keyArn).toEqual(alias.aliasArn);
+});
+
 class AliasOutputsConstruct extends Construct {
   constructor(scope: Construct, id: string, key: IKey) {
     super(scope, id);

Original file line number	Diff line number	Diff line change
`@@ -69,7 +69,13 @@ abstract class AliasBase extends Resource implements IAlias {`
`69`	`69`	`}`
`70`	`70`
`71`	`71`	`public get keyRef(): KeyReference {`
`72`		`- return this.aliasTargetKey.keyRef;`
	`72`	+ // Not actually referering to the key: `IKeyRef` here is being used as a
	`73`	+ // hypothetical `IKeyLikeRef`, and we need to return the Alias values using
	`74`	`+ // the Key interface.`
	`75`	`+ return {`
	`76`	`+ keyArn: this.aliasArn,`
	`77`	`+ keyId: this.keyId,`
	`78`	`+ };`
`73`	`79`	`}`
`74`	`80`
`75`	`81`	`/**`