I have Encrypted SNS topic with KMS key. Here is KMS policy:
Type: 'AWS::KMS::Key'
Properties:
Description: Key for SNS Encryption
Enabled: true
EnableKeyRotation: true
KeyPolicy:
Version: 2012-10-17
Id: KmsKeyPolicy
Statement:
- Sid: AllowDFX5AdminPermissionSet
Effect: Allow
Principal:
AWS: !Ref ParamKMSKeyAdministratorUserRoleArn
Action:
- kms:Create*
- kms:Describe*
- kms:Enable*
- kms:List*
- kms:Put*
- kms:Update*
- kms:Revoke*
- kms:Disable*
- kms:Get*
- kms:Delete*
- kms:TagResource
- kms:UntagResource
- kms:ScheduleKeyDeletion
- kms:CancelKeyDeletion
Resource: '*'
- Sid: AllowAccountPoliciesToUseKey
Effect: Allow
Principal:
Service:
- states.amazonaws.com
- sns.amazonaws.com
Action:
- kms:Encrypt
- kms:Decrypt
- kms:DescribeKey
- kms:GenerateDataKey
- kms:ReEncrypt*
Resource: '*'
My state machine role has appropriate permissions:
Effect: Allow
Action:
- kms:Encrypt
- kms:ReEncrypt*
- kms:Decrypt
- kms:GenerateDataKey*
Resource: !Ref ParamKmsKeyArn
However, my state machine is giving me a following error: User: arn:aws:sts::190565753270:assumed-role/dfx5-health-monitoring-dev-StepFun-StepFunctionRole-kMolFlKjZ3lh/HxHgpfIkpnjBOOhbdJevmlLNhdAkSNhL is not authorized to perform: kms:GenerateDataKey on resource: arn:aws:kms:us-east-1:190565753270:key/c5697944-70f3-4806-b94a-0e081826ee25 because no resource-based policy allows the kms:GenerateDataKey action
This error is telling me that my state machine role has not KMS permissions but it is there. I guess the problem will be with KMS policy. Any ideas please?
2
Answers
Hmm, I believe you need to update your KMS key policy to explicitly include your state machine role in the Principal section.
Can you try this and see if it solves the issue:
Also, a point to note -> If your use case does not require dynamically setting an administrator for the KMS key, or if this parameter is not relevant to your specific setup, you might not need to include
ParamKMSKeyAdministratorUserRoleArn
.As Olakunle indicated, you must include the IAM role that the state machine is using. Some services send directly to SNS, but Step functions is not one of them (See https://docs.aws.amazon.com/sns/latest/dg/sns-key-management.html)
But a few points:
If you directly give permissions to an IAM role in the KMS key policy, you do not need to give permissions in the IAM policy. This is effectively the same as in any other resource policy, except that with KMS, you must give permissions in the Key Policy, it cannot only be done in the IAM Policy.
arn:aws:iam::ACCOUNT:root
, you are not granting all roles permission, but you are delegating access to the key to IAM, which means then you give access by adding permissions in the IAM role policy (but only to the permissions you permit in the key policy).In this case you do not grant permissions to the Service. The IAM Role is the principal that needs permissions. If you want to restrict access to it being used with a specific service, then you need a condition to ensure that it is done VIA the service, and within that region. For example, here is how you would do it in JSON. I included both the section for granting the role access, and if one of the services that send directly to SNS (per the link above) was to be given access.