Home > Software engineering >  Terraform AWS CMK script throws a Not Authorized Error
Terraform AWS CMK script throws a Not Authorized Error

Time:09-28

I am trying to create a CMK for my SQS queue to allow encrypted SNS messages to be sent to my encrypted queue. After I create the cmk, I will set it to the "kms_master_key_id" in my queue.

resource "aws_kms_key" "mycmk" {
  description             = "KMS Key"
  deletion_window_in_days = 10

  policy = <<POLICY
{
   "Version": "2012-10-17",
      "Statement": [{
         "Effect": "Allow",
         "Principal": {
            "Service": "sns.amazonaws.com"
         },
         "Action": [
            "kms:GenerateDataKey",
            "kms:Decrypt"
         ],
         "Resource": "*"
       }]
}
POLICY
}

This is throwing an error: my_role_arn is not authorized to perform: kms:CreateKey on resource: * I've double checked to make sure that action is allowed and it is. Do I need to update the 'resource' in the policy? If so to what?

The role I am using to run this has these permissions:

 Effect = "Allow"
          Action = [
            "kms:CreateAlias",
            "kms:CreateGrant",
            "kms:CreateKey",
            "kms:DeleteAlias",
            "kms:DisableKey",
            "kms:EnableKey",
            "kms:PutKeyPolicy",
            "kms:RevokeGrant",
            "kms:ScheduleKeyDeletion",
            "kms:TagResource",
            "kms:UntagResource",
            "kms:UpdateAlias",
            "kms:UpdateKeyDescription"
          ]
          Resource = [
            "arn:aws:kms:${local.aws_region}:${var.aws_account_id}:key/*",
            "arn:aws:kms:${local.aws_region}:${var.aws_account_id}:alias/*"
          ]

CodePudding user response:

As someone else suggested, it looks like the credentials you use to run Terraform don't have the right permissions.

CreateKey explicitly only works with the "*" resource, so change the policy to this:

data "aws_iam_policy_document" "key_Access" {
  statement {
    actions = [
      "kms:CreateAlias",      
      "kms:CreateGrant",
      "kms:DeleteAlias",
      "kms:DisableKey",
      "kms:EnableKey",
      "kms:PutKeyPolicy",
      "kms:RevokeGrant",
      "kms:ScheduleKeyDeletion",
      "kms:TagResource",
      "kms:UntagResource",
      "kms:UpdateAlias",
      "kms:UpdateKeyDescription"
    ]

    resources = [
      "arn:aws:kms:${local.aws_region}:${var.aws_account_id}:key/*",
      "arn:aws:kms:${local.aws_region}:${var.aws_account_id}:alias/*"
    ]
  }

  statement {
    actions = ["kms:CreateKey"]
    resources = ["*"]
  }
}

With that being said, maybe don't make your own policy. Just assign the existing policy arn:aws:iam::aws:policy/AWSKeyManagementServicePowerUser to the role. That gives the following permissions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "kms:CreateAlias",
                "kms:CreateKey",
                "kms:DeleteAlias",
                "kms:Describe*",
                "kms:GenerateRandom",
                "kms:Get*",
                "kms:List*",
                "kms:TagResource",
                "kms:UntagResource",
                "iam:ListGroups",
                "iam:ListRoles",
                "iam:ListUsers"
            ],
            "Resource": "*"
        }
    ]
}

Page link:https//www.codepudding.com/Softwareengineering/130190.html

Prev:AWS EC2 terminal session terminated with "Plugin with name Standard_Stream not found"
Next:How to group unique IDs to a single ID and put into new column?
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding