复制数据库快照的最小KMS权限

时间:2017-08-22 15:01:40

标签: amazon-web-services amazon-rds aws-kms

我正在尝试使用KMS加密密钥设置aws rds copy-db-snapshot的最小权限:

$ aws rds copy-db-snapshot --source-db-snapshot-identifier rds-backup-share-
mysql --target-db-snapshot-identifier rds-backup-share-mysql-reencrypted --kms-key-id <kms-arn>

<>中的所有内容都被我删除并包含有效值。)

不幸的是我收到了这个错误:

An error occurred (KMSKeyNotAccessibleFault) when calling the CopyDBSnapshot operation: The target snapshot KMS key [<kms-arn>] does not exist, is not enabled or you do not have permissions to access it.

目前我允许这些行动:

  "Action": [
    "kms:ReEncrypt*",
    "kms:ListKeys",
    "kms:ListAliases",
    "kms:GenerateDataKey*",
    "kms:Encrypt",
    "kms:DescribeKey",
    "kms:Decrypt"
  ],

如果我用kms:*{code}替换它,它就有效,所以它必须是权限问题。

我尝试使用CloudTrail找出正确的权限,但它只包含相同的无用错误消息。

所以我的实际问题是:

  • CopyDBSnapshot的最小KMS权限是什么?
  • 是否有通用的方法来确定所需的权限?通过谷歌搜索所需的权限来浪费我的时间总是很痛苦。

修改:这是启用了--debug的日志输出的底部:

2017-08-22 17:15:37,521 - MainThread - botocore.endpoint - DEBUG - Sending http request: <PreparedRequest [POST]>
2017-08-22 17:15:37,522 - MainThread - botocore.vendored.requests.packages.urllib3.connectionpool - INFO - Starting new HTTPS connection (1): rds.eu-west-1.amazonaws.com
2017-08-22 17:15:37,927 - MainThread - botocore.vendored.requests.packages.urllib3.connectionpool - DEBUG - "POST / HTTP/1.1" 400 437
2017-08-22 17:15:37,934 - MainThread - botocore.parsers - DEBUG - Response headers: {'x-amzn-requestid': 'c097fe4e-874c-11e7-a56a-9d1acedaf516', 'content-type': 'text/xml', 'content-length': '437', 'date': 'Tue, 22 Aug 2017 15:15:37 GMT', 'connection': 'close'}
2017-08-22 17:15:37,936 - MainThread - botocore.parsers - DEBUG - Response body:
b'<ErrorResponse xmlns="http://rds.amazonaws.com/doc/2014-10-31/">\n  <Error>\n    <Type>Sender</Type>\n    <Code>KMSKeyNotAccessibleFault</Code>\n    <Message>The target snapshot KMS key [<kms-arn>] does not exist, is not enabled or you do not have permissions to access it. </Message>\n  </Error>\n  <RequestId>c097fe4e-874c-11e7-a56a-9d1acedaf516</RequestId>\n</ErrorResponse>\n'
2017-08-22 17:15:37,938 - MainThread - botocore.hooks - DEBUG - Event needs-retry.rds.CopyDBSnapshot: calling handler <botocore.retryhandler.RetryHandler object at 0x7f9c7ce84860>
2017-08-22 17:15:37,939 - MainThread - botocore.retryhandler - DEBUG - No retry needed.
2017-08-22 17:15:37,952 - MainThread - awscli.clidriver - DEBUG - Exception caught in main()
Traceback (most recent call last):
  File "/usr/lib/python3.6/site-packages/awscli/clidriver.py", line 200, in main
    return command_table[parsed_args.command](remaining, parsed_args)
  File "/usr/lib/python3.6/site-packages/awscli/clidriver.py", line 338, in __call__
    return command_table[parsed_args.operation](remaining, parsed_globals)
  File "/usr/lib/python3.6/site-packages/awscli/clidriver.py", line 508, in __call__
    call_parameters, parsed_globals)
  File "/usr/lib/python3.6/site-packages/awscli/clidriver.py", line 627, in invoke
    client, operation_name, parameters, parsed_globals)
  File "/usr/lib/python3.6/site-packages/awscli/clidriver.py", line 639, in _make_client_call
    **parameters)
  File "/usr/lib/python3.6/site-packages/botocore/client.py", line 310, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/usr/lib/python3.6/site-packages/botocore/client.py", line 599, in _make_api_call
    raise error_class(parsed_response, operation_name)
botocore.errorfactory.KMSKeyNotAccessibleFault: An error occurred (KMSKeyNotAccessibleFault) when calling the CopyDBSnapshot operation: The target snapshot KMS key [<kms-arn>] does not exist, is not enabled or you do not have permissions to access it. 
2017-08-22 17:15:37,955 - MainThread - awscli.clidriver - DEBUG - Exiting with rc 255

An error occurred (KMSKeyNotAccessibleFault) when calling the CopyDBSnapshot operation: The target snapshot KMS key [<kms-arn>] does not exist, is not enabled or you do not have permissions to access it.

FTR:我在AWS论坛上发了一个交叉帖子:https://forums.aws.amazon.com/thread.jspa?messageID=801745

4 个答案:

答案 0 :(得分:15)

现在,我通过反复试验弄明白了。由于我不想多次执行相同的任务,因此我将其自动化(请参阅下面的脚本)。

这是复制RDS快照所需的权限:

["kms:CreateGrant","kms:DescribeKey"]

这是我使用的脚本。也许它对其他有类似问题的人有用。它被黑客攻击,因此不要期望它能够开箱即用。

#!/bin/bash

set -euo pipefail

unknown=(
    kms:CancelKeyDeletion
    kms:CreateAlias
    kms:CreateAlias
    kms:CreateGrant
    kms:CreateKey
    kms:Decrypt
    kms:DeleteAlias
    kms:DeleteAlias
    kms:DescribeKey
    kms:DisableKey
    kms:DisableKeyRotation
    kms:EnableKey
    kms:EnableKeyRotation
    kms:Encrypt
    kms:GenerateRandom
    kms:GenerateDataKey
    kms:GenerateDataKeyWithoutPlaintext
    kms:GetKeyPolicy
    kms:GetKeyRotationStatus
    kms:ListAliases
    kms:ListGrants
    kms:ListKeyPolicies
    kms:ListKeys
    kms:ListRetirableGrants
    kms:PutKeyPolicy
    kms:ReEncryptFrom
    kms:ReEncryptTo
    kms:RetireGrant
    kms:RevokeGrant
    kms:ScheduleKeyDeletion
    kms:UpdateAlias
    kms:UpdateAlias
    kms:UpdateKeyDescription
)
required=()

KEY_ID=86a6300d-38f9-4892-b7a1-d8f821e8438c
export AWS_DEFAULT_OUTPUT=json

function check_copy {
    permissions=$( echo -n "${required[*]} ${unknown[*]}" | jq -R -s 'split(" ")' )

    policy=$( aws kms \
        get-key-policy \
        --key-id ${KEY_ID} \
        --policy-name default \
      | jq ".Policy" -r \
      | jq ".Statement[1].Action |= ${permissions}"
    )

    aws kms \
        put-key-policy \
        --key-id ${KEY_ID} \
        --policy-name default \
        --policy "${policy}"

    aws rds \
        delete-db-snapshot \
        --db-snapshot-identifier rds-backup-share-mysql-reencrypted \
        || true

    (
        set -x
        AWS_ACCESS_KEY_ID=XXX \
        AWS_SECRET_ACCESS_KEY=XXX \
        aws rds \
            copy-db-snapshot \
            --source-db-snapshot-identifier rds-backup-share-mysql \
            --target-db-snapshot-identifier rds-backup-share-mysql-reencrypted \
            --kms-key-id alias/rds-snapshot-share \
            || return 1

    aws rds \
        wait db-snapshot-completed \
        --db-snapshot-identifier rds-backup-share-mysql-reencrypted
    ) || return 1

    return 0
}

check_copy
while [ ${#unknown[@]} -gt 0 ]
do
    removed=${unknown[0]}
    unknown=(${unknown[@]:1})

    if ! check_copy
    then
        required+=($removed)
    fi

    echo "Required permissions so far: ${required[*]}"
    echo "Unknown permissions so far: ${unknown[*]}"
done

echo -n "Minimal permissions: "
echo -n "${required[*]}" | jq -R -s -c 'split(" ")'

答案 1 :(得分:2)

我还在复制RDS数据库快照,但使用Powershell和我的数据库是MS SQL。我得到了同样的错误:

scenegraph/qsgthreadedrenderloop.cpp

我最终在这里搜索,查看我的个人资料,凭据,角色等等......但一切似乎都很好。

我的错误是没有在The target snapshot KMS key [<kms-arn>] does not exist, is not enabled or you do not have permissions to access it. 中指定区域(在Powershell中;相当于CLI中的Copy-RDSDBSnapshot)。由于我在灾难恢复方案中跨区域进行复制,因此我必须指定目标区域的KmsKeyId(因为它将推迟源区域)。源区域us-east-1是我的默认区域,因此执行此操作无效,因上述错误而失败,因为我没有指定任何内容,它在我的默认区域us-east-运行1,因此它无法找到us-west-2键,正如错误所说,它不存在&#34;在该地区,它与权限无关:

copy-db-snapshot

添加所谓的&#34;公共参数&#34; Copy-RDSDBSnapshot -SourceDBSnapshotIdentifier $dBSnapshotArn ` -SourceRegion 'us-east-1' ` -TargetDBSnapshotIdentifier $targetSnapshotName ` -KmsKeyId 'arn:aws:kms:us-west-2:xxxxx:key/xxxxx' ` -CopyTag $true -OptionGroupName 'myOptionGroup' 做了诀窍:

Region

答案 2 :(得分:1)

我找到了另一个根本原因,以及另一个解决方案:

只需在目标区域中创建然后删除RDS!

无论我对关键策略执行什么操作,AWS RDS都只是拒绝复制快照,直到我创建了一个小型的自动RDS。现在,任何键都可以“开箱即用”使用,即使是新的键也没有任何策略更改!

答案 3 :(得分:0)

除了其他答案的权限外,请确保使用对称加密密钥。 AWS 错误并不清楚它们的含义,并且当您尝试使用非对称密钥执行某些应该使用对称密钥执行的操作时,会使用完全相同的错误消息。