标题说明了一切。每当我尝试通过AWS CloudFormation模板创建KMS密钥时,我都会收到此错误。我正在将模板创建为具有管理权限的IAM用户,并且我希望该密钥可由具有KMS权限的同一AWS账户中的任何IAM用户管理。我使用以下YAML资源定义作为密钥:
LambdaKmsKey:
Type: AWS::KMS::Key
Properties:
Enabled: true
KeyPolicy:
Version: 2012-10-17
Statement:
- Effect: Allow
Action: kms:*
Principal:
AWS: <Principle>
然而,即使我尝试以root用户身份创建堆栈,<Principal>的以下值也没有工作!
!Join [ "", [ "arn:aws:iam::", !Ref "AWS::AccountId", ":root" ] ] !Join [ "", [ "arn:aws:sts::", !Ref "AWS::AccountId", ":root" ] ] !Ref "AWS::AccountId" 我无法对Principal的用户名进行硬编码,因为我希望任何具有堆栈创建权限的人都可以对此模板进行实例化。有谁知道如何解决这个令人沮丧的情况?提前谢谢。
修改:
我应该提一下,我不再在CloudFormation模板中定义KMS密钥策略。实际上,我现在完全避免在我的CF模板中定义任何安全资源,例如IAM实体,策略和ACM证书。我的理由在GitHub issue中有所描述。
答案 0 :(得分:8)
您缺少Resource: "*"属性。这对我有用:
LambdaKmsKey:
Type: AWS::KMS::Key
Properties:
Enabled: true
KeyPolicy:
Version: 2012-10-17
Statement:
- Effect: Allow
Action: kms:*
Resource: "*"
Principal:
AWS: !Join [ "", [ "arn:aws:iam::", !Ref "AWS::AccountId", ":root" ] ]
Resource: "*" is required and is the only possible value:
资源 - (必需)在密钥策略中,您对资源使用“*”,这意味着“此CMK”。关键政策仅适用于附加的CMK。
有关示例,请参阅https://aws.amazon.com/premiumsupport/knowledge-center/update-key-policy-future/。
答案 1 :(得分:1)
当我尝试通过lambda创建CMK时,出现了相同的错误。因此,我在创建密钥时将lambda角色arn添加到密钥策略中。
goplat=( darwin windows linux )
# Supported CPU architectures: amd64
goarc=( amd64 )
# Supported database tags
dbtags=( mysql mongodb rethinkdb )
for line in $@; do
eval "$line"
done
version=${tag#?}
if [ -z "$version" ]; then
# Get last git tag as release version. Tag looks like 'v.1.2.3', so strip 'v'.
version=`git describe --tags`
version=${version#?}
fi
答案 2 :(得分:1)
如果这对某人有帮助,请注意https://aws.amazon.com/premiumsupport/knowledge-center/update-key-policy-future/
中的备注重要:请确保您创建的密钥策略允许当前用户来管理CMK。
从管道部署模板时遇到了这个问题,建议的解决方案对我不起作用。用于部署模板的角色具有相应的kms权限,但它也必须位于关键策略的主体中!
- Effect: Allow
Action: kms:*
Resource: "*"
Principal:
AWS:
- !Sub arn:aws:iam::${AWS::AccountId}:role/PipelineRole
答案 3 :(得分:0)
LambdaKmsKey:
Type: AWS::KMS::Key
Properties:
Description: Key for Lambda function
Enabled: True
KeyPolicy:
Version: '2012-10-17'
Id: key-consolepolicy-3
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS: arn:aws:iam::AwsAccountId:root
Action: kms:*
Resource: "*"
- Sid: Allow use of the key
Effect: Allow
Principal:
AWS:
Fn::GetAtt: [ IamRoleLambdaExecution, Arn ]
Action:
- kms:Decrypt
- kms:Encrypt
Resource: "*"
此策略有点危险,因为它给具有kms:decrypt帐户的用户或角色授予解密和查看密钥的权限,这是不安全的,并且无法通过笔测试。
如果您要取消解密许可。
LambdaKmsKey:
Type: AWS::KMS::Key
Properties:
Description: Key for Lambda function
Enabled: True
KeyPolicy:
Version: '2012-10-17'
Id: key-consolepolicy-3
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS: arn:aws:iam::AwsAccountId:role/sudo
Action:
- kms:Create*
- kms:Describe*
- kms:Enable*
- kms:List*
- kms:Put*
- kmzs:Update*
- kms:Revoke*
- kms:Disable*
- kms:Get*
- kms:Delete*
- kms:ScheduleKeyDeletion
- kms:CancelKeyDeletion
- kms:Encrypt
Resource: "*"
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS: arn:aws:iam::AwsAccountId:role/admin
Action:
- kms:Create*
- kms:Describe*
- kms:Enable*
- kms:List*
- kms:Put*
- kmzs:Update*
- kms:Revoke*
- kms:Disable*
- kms:Get*
- kms:Delete*
- kms:ScheduleKeyDeletion
- kms:CancelKeyDeletion
- kms:Encrypt
Resource: "*"
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS: arn:aws:iam::AwsAccountId:root
Action:
- kms:List*
- kms:Get*
- kms:Encrypt
Resource: "*"
- Sid: Allow use of the key
Effect: Allow
Principal:
AWS:
Fn::GetAtt: [ IamRoleLambdaExecution, Arn ]
Action:
- kms:Decrypt
- kms:Encrypt
Resource: "*"
通过这种方式,我向sudo和admin角色授予了除解密以外的所有其他权限(请确保您具有这些角色)
我正在向具有列表,获取和加密权限的角色和用户提供列表,获取和加密权限。