skip to Main Content

I keep getting this error but I can’t seem to spot what is wrong with my policy. Can someone help? This is my aws_kms_key_policy?

resource "aws_kms_key_policy" "kms_key" {
  key_id = aws_kms_key.kms_key.key_id

  policy = jsonencode({
    Id      = "kms-key-policy",
    Statement = [
      {
        Effect = "Allow",
        Principal = {
          Service = "states.amazonaws.com"
        },
        Action = [
          "kms:Encrypt",
          "kms:Decrypt",
          "kms:ReEncrypt",
          "kms:GenerateDataKey",
          "kms:DescribeKey",
          "kms:PutKeyPolicy",
          "kms:CreateGrant"
        ],
        Resource = aws_kms_key.kms_key.arn
      }
    ]
  })
}

I can’t seem to spot what is incorrect with my policy. Thanks

2

Answers


  1. This statement only allows the principal states.amazonaws.com to ever do anything with the key ever again. It blocks you, the owner of the key, from ever modifying the key in the future. That’s why it is rejecting the policy.

    Login or Signup to reply.
  2. I think you also want to allow the policy to be updated by a user from your AWS account. Right now there is no way to update the policy as you are only allowing AWS service to perform some actions. To fix this, I would add something like:

    resource "aws_kms_key_policy" "kms_key" {
      key_id = aws_kms_key.kms_key.key_id
    
      policy = jsonencode({
        Id      = "kms-key-policy",
        Statement = [
          {
            Sid = "Allow administration of the key",
            Effect = "Allow",
            Principal = {
              "AWS" = "arn:aws:iam::<your AWS account ID>:user/<user name>"
            },
            Action = [
              "kms:Create*",
              "kms:Describe*",
              "kms:Enable*",
              "kms:List*",
              "kms:Put*",
              "kms:Update*",
              "kms:Revoke*",
              "kms:Disable*",
              "kms:Get*",
              "kms:Delete*",
              "kms:ScheduleKeyDeletion",
              "kms:CancelKeyDeletion"
             ],
             Resource = "*"
          },
          {
            Effect = "Allow",
            Principal = {
              Service = "states.amazonaws.com"
            },
            Action = [
              "kms:Encrypt",
              "kms:Decrypt",
              "kms:ReEncrypt",
              "kms:GenerateDataKey",
              "kms:DescribeKey",
              "kms:PutKeyPolicy",
              "kms:CreateGrant"
            ],
            Resource = aws_kms_key.kms_key.arn
          }
        ]
      })
    }
    

    This will allow only the user that you specify to administer the KMS key. If you want to allow the account root user to administer the key, you can use the following:

    Principal = {
      "AWS" = "arn:aws:iam::<your AWS account ID>:root"
    }
    

    If you have a different identity that needs to administer the key, you can see more examples in the re:Post article.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search