每当我尝试创建CMK密钥时,都会收到错误: {" errorMessage":" User:arn:aws:sts :: [...]未经授权执行:kms:CreateKey 。
如何为特定的IAM用户创建CMK密钥?我猜我需要调用该用户的IAM政策吗?
[PXDBInt()]
[PXUIField(DisplayName = "Inventory ID")]
[PXDefault()]
[PXParent(typeof(Select<InventoryItem, Where<InventoryItem.inventoryID, Equal<Current<POInspectionDetail.inventoryID>>>>))]
[PXSelector(typeof(Search2<POLine.inventoryID,
LeftJoin<POInspectionDetail, On<POLine.inventoryID, Equal<POInspectionDetail.inventoryID>>>,
Where<POLine.orderNbr, Equal<Current<POInspection.orderNbr>>,
And<POLineExt.qControl, Equal<True>>>>),
typeof(POLine.siteID),
typeof(POLine.orderQty),
typeof(POLineExt.qControl))]
public int? InventoryID { get; set; }
public class inventoryID : IBqlField{}
答案 0 :(得分:2)
您需要IAM用户将 AWSKeyManagementServicePowerUser 托管策略附加到用户。
您可以附加此政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:CreateAlias",
"kms:CreateKey",
"kms:DeleteAlias",
"kms:Describe*",
"kms:GenerateRandom",
"kms:Get*",
"kms:List*",
"kms:TagResource",
"kms:UntagResource",
"iam:ListGroups",
"iam:ListRoles",
"iam:ListUsers"
],
"Resource": "*"
}
]
}
希望这有助于
答案 1 :(得分:0)
请参阅以下政策,了解您的IAM用户政策
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {"AWS": [
"arn:aws:iam::111122223333:user/KMSUser",
"arn:aws:iam::111122223333:role/KMSRole", // ADD ALL NEEDED USERS HERE
"arn:aws:iam::444455556666:root"
]},,
"Action": "kms:*", //CHANGE * IF YOU DON'T NEED FULL PERMISSION
"Resource": "*" //CHANGE * IF YOU DON'T NEED FULL PERMISSION
}
给予&#39; *&#39;对于许可并不是一个好主意,因为它将提供完全访问权限。因此,请根据您的要求缩小许可范围。
下面的两篇官方文档值得一读,
http://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
http://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
http://docs.aws.amazon.com/kms/latest/developerguide/control-access-overview.html