Lambda无法访问KMS密钥

时间:2018-11-19 15:12:03

标签: amazon-web-services aws-lambda aws-serverless aws-sam-cli serverless-application-model

运行lambda代码时,出现以下错误:

The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access.

我主要遵循this来使用aws-sam-cli创建堆栈,模板的相关部分位于代码下方。

相关代码为:

const ssm = new AWS.SSM();
const param = {
    Name: "param1",
    WithDecryption: true
};
const secret = await ssm.getParameter(param).promise();

template.yaml文件的相关部分是:

KeyAlias:
    Type: AWS::KMS::Alias
    Properties:
      AliasName: 'param1Key'
      TargetKeyId: !Ref Key
Key:
    Type: AWS::KMS::Key
    Properties:
      KeyPolicy:
        Id: default
        Statement:
        - Effect: Allow
          Principal:
            AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
          Action:
          - 'kms:Create*'
          - 'kms:Encrypt'
          - 'kms:Describe*'
          - 'kms:Enable*'
          - 'kms:List*'
          - 'kms:Put*'
          - 'kms:Update*'
          - 'kms:Revoke*'
          - 'kms:Disable*'
          - 'kms:Get*'
          - 'kms:Delete*'
          - 'kms:ScheduleKeyDeletion'
          - 'kms:CancelKeyDeletion'
          Resource: '*'
          Sid: Allow root account all permissions except to decrypt the key
        Version: 2012-10-17

LambdaFunction:
    Type: AWS::Serverless::Function
    Properties:
      CodeUri: ../
      Handler: app.lambda
      Runtime: nodejs8.10
      Policies:
      - DynamoDBReadPolicy:
          TableName: !Ref Table
      - KMSDecryptPolicy:
          KeyId: !Ref Key
      - Statement:
         - Action:
           - "ssm:GetParameter"
           Effect: Allow
           Resource: !Sub "arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/param1"

KMSDecryptPolicy不允许使用密钥吗?我想念什么?谢谢!

编辑:将模板更改为以下版本是可行的,但如果可能的话,我真的很想在lambda定义中使用KMSDecryptPolicy

LambdaFunction:
    Type: AWS::Serverless::Function
    Properties:
      CodeUri: ../
      Handler: app.lambda
      Runtime: nodejs8.10
      Policies:
      - DynamoDBReadPolicy:
          TableName: !Ref Table
      - KMSDecryptPolicy:
          KeyId: !Ref Key
      - Statement:
         - Action:
           - "ssm:GetParameter"
           Effect: Allow
           Resource: !Sub "arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/param1"

Key:
    Type: AWS::KMS::Key
    Properties:
      KeyPolicy:
        Id: default
        Statement:
        - Effect: Allow
          Principal:
            AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
          Action:
          - 'kms:Create*'
          - 'kms:Encrypt'
          - 'kms:Describe*'
          - 'kms:Enable*'
          - 'kms:List*'
          - 'kms:Put*'
          - 'kms:Update*'
          - 'kms:Revoke*'
          - 'kms:Disable*'
          - 'kms:Get*'
          - 'kms:Delete*'
          - 'kms:ScheduleKeyDeletion'
          - 'kms:CancelKeyDeletion'
          Resource: '*'
          Sid: Allow root account all permissions except to decrypt the key
        - Sid: 'Allow use of the key for decryption by the LambdaFunction'
          Effect: Allow
          Principal:
            AWS: !GetAtt LambdaFunctionRole.Arn
          Action:
          - 'kms:Decrypt'
          Resource: '*'        
        Version: 2012-10-17

1 个答案:

答案 0 :(得分:0)

问题本身包含答案。所做的更改是,它不仅给了lambda角色仅KMS权限(基于身份的方式),而且还向关键策略中的lambda角色授予了权限(基于资源的方式)。

这是AWS官方资源,说明发生这种情况的原因-https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html

据此

  

所有KMS CMK都有密钥策略,您必须使用它来控制对CMK的访问。 IAM策略本身不足以允许访问CMK,尽管您可以将它们与CMK的密钥策略结合使用。

相关问题
最新问题