I keep getting this error but I can’t seem to spot what is wrong with my policy. Can someone help? This is my aws_kms_key_policy?
resource "aws_kms_key_policy" "kms_key" {
key_id = aws_kms_key.kms_key.key_id
policy = jsonencode({
Id = "kms-key-policy",
Statement = [
{
Effect = "Allow",
Principal = {
Service = "states.amazonaws.com"
},
Action = [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt",
"kms:GenerateDataKey",
"kms:DescribeKey",
"kms:PutKeyPolicy",
"kms:CreateGrant"
],
Resource = aws_kms_key.kms_key.arn
}
]
})
}
I can’t seem to spot what is incorrect with my policy. Thanks
2
Answers
This statement only allows the principal
states.amazonaws.com
to ever do anything with the key ever again. It blocks you, the owner of the key, from ever modifying the key in the future. That’s why it is rejecting the policy.I think you also want to allow the policy to be updated by a user from your AWS account. Right now there is no way to update the policy as you are only allowing AWS service to perform some actions. To fix this, I would add something like:
This will allow only the user that you specify to administer the KMS key. If you want to allow the account root user to administer the key, you can use the following:
If you have a different identity that needs to administer the key, you can see more examples in the re:Post article.