注意:已经在StackOverflow上查阅了所有其他较旧的文章,因此在将其标记为重复之前,请认真考虑。
我正在尝试通过在Python 3.x-
中使用kms_client在KMS中创建密钥
import boto3
kms_client = boto3.client('kms')
policy = """
{
"Sid": "Allowing access",
"Effect": "Allow",
"Principal": {"AWS": [
"arn:aws:iam::123456:user/sample-user",
"arn:aws:iam::123456:role/sample-role"
]},
"Action": "kms:*",
"Resource": "*"
}"""
# Creating client key
desc = "Key for testing"
response = kms_client.create_key(
Description=desc,
Policy=policy
)
但是运行它时我遇到MalformedPolicyDocumentException错误。
我已经尝试过将Principal的值保持为{"Fn::Join": ["", ["arn:aws:iam::", {"Ref": "AWS::123456"}, ":root"]]},但是没有用。
在创建密钥后也尝试使用put_key_policy命令,但它给出了相同的错误-
# Creating client key
desc = "Key for testing"
response = kms_client.create_key(
Description=desc
)
key_id = response['KeyMetadata']['KeyId']
# Adding policy to the created key
policy = """
{
"Version": "2019-5-31",
"Statement": [{
"Sid": "Allowing access",
"Effect": "Allow",
"Principal": {"AWS": [
"arn:aws:iam::123456:user/sample-user",
"arn:aws:iam::123456:role/sample-role"
]},
"Action": "kms:*",
"Resource": "*"
}]
}"""
response = kms_client.put_key_policy(
KeyId=key_id,
Policy=policy,
PolicyName='test'
)
这是怎么了?
答案 0 :(得分:0)
找到了解决方案-显然,KMS密钥策略需要特定的版本号。正确的版本应该是2012-10-17。
import boto3
kms_client = boto3.client('kms')
policy = """
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "Allowing Access",
"Effect": "Allow",
"Principal": {"AWS": [
"arn:aws:iam::123456:user/sample-user",
"arn:aws:iam::123456:role/sample-role"
]},
"Action": "kms:*",
"Resource": "*"
}]
}"""
# Creating client key
desc = "Key for testing"
response = kms_client.create_key(
Description=desc,
Policy=policy
)