Using s3:GetObject from KMS encrypted Bucket with an Alias-CodePudding

I am trying to use KMS Key Alias to get objects from S3 which is not working while put objects is working with same policy. My policy looks like below

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowListBucket",
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::primary-db-backups-XXXXX"
        },
        {
            "Sid": "AllowGetPutPostgresBackups",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject"
            ],
            "Resource": "arn:aws:s3:::primary-db-backups-XXXXX/*"
            ]
        },
        {
            "Sid": "AllowS3KMS",
            "Effect": "Allow",
            "Action": [
                "kms:GenerateDataKey*",
                "kms:Decrypt"
            ],
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "kms:RequestAlias": "alias/infra_s3_key"
                }
            }
        }
    ]
}

The error I am getting is

download failed: s3://primary-db-backups-XXXXX/ip15000_2021-10-19T02-37-52.sql to - An error occurred (AccessDenied) when calling the GetObject operation: Access Denied

If I put KMS Key ARN in Resource then it works. I am not sure why GetObject is not working while PutObjects works.

CodePudding user response：

This probably happens because S3 is calling KMS key by its ARN, not alias. You could use alias/infra_s3_key only if the API call to KMS made by S3 would be itself using alias/infra_s3_key. But its probably using key ARN, thus only condition with the KMS key ARN works.