今天早些时候,我尝试通过存储桶策略授权B中的IAM用户访问A中的对象,并在A中更新CMK的KMS策略以允许B使用CMK。确认每个单独的操作都有效
使用B
aws kms encrypt --key-id 'arn:aws:kms:us-east-1:11111:key/KEYID' --plaintext 'hello world'
aws s3 cp localfile s3://bucket-in-a
两种操作都运行良好。但是,当B尝试将具有服务器端加密的文件上载到存储桶或尝试下载加密文件时,我会收到AccessDenied消息。我很确定角色假设路线可以正常工作但是正在寻找一种更简单的替代方案。
An error occurred (AccessDenied) when calling the GetObject operation: Access Denied
Bucket Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::222222222222:user/USER"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::BUCKETNAME",
"arn:aws:s3:::BUCKETNAME/*"
]
}
]
}
CMK政策
{
"Version": "2012-10-17",
"Id": "key-consolepolicy-3",
"Statement": [
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111111111111:user/ADMIN",
"arn:aws:iam::222222222222:user/USER"
]
},
"Action": "kms:*",
"Resource": "*"
}
]
}