AWS如何从Java为特定IAM用户创建CMK密钥

时间:2017-09-27 09:04:33

标签: java amazon-web-services amazon-s3 aws-lambda aws-sdk

每当我尝试创建CMK密钥时,都会收到错误: {" errorMessage":" User:arn:aws:sts :: [...]未经授权执行:kms:CreateKey

如何为特定的IAM用户创建CMK密钥?我猜我需要调用该用户的IAM政策吗?

[PXDBInt()]
[PXUIField(DisplayName = "Inventory ID")]
[PXDefault()]
[PXParent(typeof(Select<InventoryItem, Where<InventoryItem.inventoryID, Equal<Current<POInspectionDetail.inventoryID>>>>))]
[PXSelector(typeof(Search2<POLine.inventoryID,
      LeftJoin<POInspectionDetail, On<POLine.inventoryID, Equal<POInspectionDetail.inventoryID>>>,
        Where<POLine.orderNbr, Equal<Current<POInspection.orderNbr>>,
        And<POLineExt.qControl, Equal<True>>>>),
            typeof(POLine.siteID),
            typeof(POLine.orderQty),
            typeof(POLineExt.qControl))]
public int? InventoryID { get; set; }

public class inventoryID : IBqlField{}

2 个答案:

答案 0 :(得分:2)

您需要IAM用户将 AWSKeyManagementServicePowerUser 托管策略附加到用户。

您可以附加此政策:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Action": [
            "kms:CreateAlias",
            "kms:CreateKey",
            "kms:DeleteAlias",
            "kms:Describe*",
            "kms:GenerateRandom",
            "kms:Get*",
            "kms:List*",
            "kms:TagResource",
            "kms:UntagResource",
            "iam:ListGroups",
            "iam:ListRoles",
            "iam:ListUsers"
        ],
        "Resource": "*"
    }
 ]
}

希望这有助于

答案 1 :(得分:0)

请参阅以下政策,了解您的IAM用户政策

&#13;
&#13;
{
  "Sid": "Enable IAM User Permissions",
  "Effect": "Allow",
  "Principal": {"AWS": [
    "arn:aws:iam::111122223333:user/KMSUser",
    "arn:aws:iam::111122223333:role/KMSRole", // ADD ALL NEEDED USERS HERE
    "arn:aws:iam::444455556666:root"
  ]},,
  "Action": "kms:*", //CHANGE * IF YOU DON'T NEED FULL PERMISSION
  "Resource": "*" //CHANGE * IF YOU DON'T NEED FULL PERMISSION
}
&#13;
&#13;
&#13;

给予&#39; *&#39;对于许可并不是一个好主意,因为它将提供完全访问权限。因此,请根据您的要求缩小许可范围。

下面的两篇官方文档值得一读,

http://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html

http://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html

http://docs.aws.amazon.com/kms/latest/developerguide/control-access-overview.html