在使用Terraform for AWS时遇到错误:"新的密钥策略将不允许您在将来更新密钥策略。"

时间:2018-01-29 20:08:53

标签: amazon-web-services terraform aws-kms

在AWS KMS中为creatind运行terraform我收到错误:

  • aws_kms_key.dyn_logs_server_side_cmk:MalformedPolicyDocumentException:新密钥策略将不允许您以后更新密钥策略。 状态代码:400,请求ID:e34567896780780

关于这个问题有很多帖子,但没有任何帮助。 所以,我的kms.tf文件如下:

provider "aws" {
    access_key = "${var.aws_access_key}"
    secret_key = "${var.aws_secret_key}"
    region     = "${var.aws_region}"
} 
resource "aws_kms_key" "dyn_logs_server_side_cmk" {
    description = "dyn-logs-sse-cmk-${var.environment}"
    enable_key_rotation = "true"
    policy = <<EOF
{
    "Version":"2015-11-17",
    "Statement":[
    {
        "Sid": "Enable IAM User Permissions",
        "Effect": "Allow",
        "Principal": {"AWS": "arn:aws:iam::${var.account_id}:root"},
        "Action": "kms:*",
        "Resource": "*"
    }
    ]
    }EOF
}

这就是我在

之后在输出中看到的内容

terraform apply&#34; dyn-vpc.plan&#34; 

aws_kms_key.dyn_logs_server_side_cmk: Creating...
arn:                 "" => "<computed>"
description:         "" => "dyn-logs-server-dyn"
enable_key_rotation: "" => "true"
is_enabled:          "" => "true"
key_id:              "" => "<computed>"
key_usage:           "" => "<computed>"
policy:              "" => "{\n   \"Version\":\"2015-11-17\",\n   \"Statement\":[\n      {\n         \"Sid\": \"Enable IAM User Permissions\",\n         \"Effect\": \"Allow\",\n         
\"Principal\": {\"AWS\": \"arn:aws:iam::12345678901234:root\"},\n         \"Action\": \"kms:*\",\n         \"Resource\": \"*\"\n      }\n   ]\n}\n"

aws_kms_key.dyn_logs_server_side_cmk: Still creating... (10s elapsed)
aws_kms_key.dyn_logs_server_side_cmk: Still creating... (20s elapsed)
Error applying plan:
1 error(s) occurred:
* aws_kms_key.dyn_logs_server_side_cmk: 1 error(s) occurred:
* aws_kms_key.dyn_logs_server_side_cmk:
MalformedPolicyDocumentException: The new key policy will not allow
you to update the key policy in the future.

2 个答案:

答案 0 :(得分:0)

基本上,来自@ydaetskcoR的评论是正确的。策略中的account_id不正确,导致错误。 MalformedPolicyDocumentException不是真正的信息,需要找到一个真正的原因

答案 1 :(得分:0)

就我而言,帐户 ID 是正确的,但创建密钥的用户未包含在 Enable IAM User Permissions 语句中。我必须这样做

resource "aws_kms_key" "dyn_logs_server_side_cmk" {
    description = "dyn-logs-sse-cmk-${var.environment}"
    enable_key_rotation = "true"
    policy = <<EOF
{
    "Version":"2015-11-17",
    "Statement":[
    {
        "Sid": "Enable IAM User Permissions",
        "Effect": "Allow",
        "Principal": {
            "AWS": [
                 "arn:aws:iam::${var.account_id}:root",
                 "arn:aws:iam::${var.account_id}:user/system/terraform-user" 
             ]
        },
        "Action": "kms:*",
        "Resource": "*"
    }
    ]
    }EOF
}
相关问题
最新问题