我在模板中尝试了以下资源:
SigningKey:
Type: AWS::KMS::Key
Properties:
Description: "Auth API signing key"
Enabled: true
# Grant all permissions for root account
KeyPolicy:
Version: "2012-10-17"
Id: "key-default-1"
Statement:
-
Sid: "Enable IAM User Permissions"
Effect: "Allow"
Principal:
- AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root"
Action: "kms:*"
Resource: "*"
EnableKeyRotation: true
KeyUsage: SIGN_VERIFY
但这会导致错误:
操作失败,因为CMK的KeyUsage值为 SIGN_VERIFY。要执行此操作,KeyUsage值必须为 ENCRYPT_DECRYPT。
也不清楚从docs的模板中何处指定密钥类型(例如RSA_2048
)。