Question

我继续收到错误消息：

software.amazon.awssdk.services.kms.model.KmsException: The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access.

尝试解密时。

我已经创建了一个具有以下权限的任务执行角色：

"AssumeRolePolicyDocument": {
      "Version": "2008-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "Service": "ecs-tasks.amazonaws.com"
          },
          "Action": "sts:AssumeRole"
        }
      ]
    },
    "ManagedPolicyArns": [
      "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
    ],
    "Policies": [
      {
        "PolicyName": "AllowKmsDecrypt",
        "PolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Action": [
                "kms:Decrypt"
              ],
              "Resource": [
                {"Ref": "PrincipalSourceKeyArn"}
              ]
            }
          ]
        }
      }
    ]

任务定义与角色相关联：

        "ExecutionRoleArn": {"Ref": "TaskExecutionRoleArn"},

嗯。我还能缺少什么？

Answer 1

从这些docs中可以看出，IAM策略是不够的：

IAM策略本身不足以允许访问 CMK。但是，您可以将它们与CMK的密钥策略结合使用如果关键策略启用了它。授予AWS账户完全访问权限 CMK会这样做；它使您能够使用IAM策略来提供IAM 用户和角色访问CMK

我需要更新KMS KeyPolicy使其包括：

{
          "Sid": "Enable IAM User Permissions",
          "Effect": "Allow",
          "Principal": {
            "AWS": { "Fn::Join" : ["" , ["arn:aws:iam::", {"Ref" : "AWS::AccountId"} ,":root" ]] }
          },
          "Action": "kms:*",
          "Resource": "*"
        }

Answer 2

在此行的情况下 { "Fn::Join" : ["" , ["arn:aws:iam::", {"Ref" : "AWS::AccountId"} ,":root" ]] } 您仅允许通过root帐户使用此密钥。

通常，此密钥策略必须为用户提供管理可能性，并且仅为使用该密钥的服务或其他用户提供一些特定操作。因此，对于我来说，整个设置必须看起来像这样：

KMSKeyEncryption:
    Type: AWS::KMS::Key
    Properties:
      Enabled: true
      EnableKeyRotation: false
      KeyPolicy:
        Version: 2012-10-17
        Statement:
          - Principal:           
              AWS:arn of the users/roles who are allowed to manage this key
            Effect: Allow
            Action:
              - kms:Create*
              - kms:Describe*
              - kms:Enable*
              - kms:List*
              - kms:Put*
              - kms:Update*
              - kms:Revoke*
              - kms:Disable*
              - kms:Get*
              - kms:Delete*
              - kms:ScheduleKeyDeletion
              - kms:CancelKeyDeletion
              - kms:Encrypt*
              - kms:Decrypt*
            Resource: "*"
          - Principal: "*" # this is not specific enough, should be strict
            Effect: Allow
            Action:
              - kms:Decrypt*
            Resource: "*"
  PolicyDecryptKms:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      ManagedPolicyName: DecryptKmsPolicy
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Sid: AllowDecryptValues
            Effect: Allow
            Action:
              - kms:Decrypt*
            Resource: !GetAtt KMSKeyEncryption.Arn
  RoleECSTaskContainer:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: 2008-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service: ecs-tasks.amazonaws.com
            Action: sts:AssumeRole
      RoleName: ECSTaskContainerRole
      ManagedPolicyArns:
        - !Ref PolicyDecryptKms

ECS集群无法使用KMS密钥解密“您不允许访问”

2 个答案: