How to add KMS key policy to an IAM role.
I was trying to download a file from an S3 bucket in my lambda function but i kept getting an error, probably because the bucket has encryption. I have a key policy that looks like this:
{
"Version": "2012-10-17",
"Id": "key-default-1",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123:root"
},
"Action": "kms:*",
"Resource": "*"
}
]
}
But how do I attach this to my role? I clicked on Edit trust relationships and tried to paste this there but I get an error that:
An error occurred: Has prohibited field Resource
CodePudding user response:
You can add the role directly to the key policy if it is a customer managed key:
{
"Version": "2012-10-17",
"Id": "key-default-1",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": ["arn:aws:iam::123:root",
"arn:aws:iam::123:role/myRole"]
},
"Action": "kms:*",
"Resource": "*"
}
]
}
Or you can attach a new policy (or edit an existing policy that is already attached) to the role you are invoking the lambda function as. Add something similar to the following:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowKMS",
"Effect": "Allow",
"Action": "kms:*",
"Resource": "*"
}
]
}
CodePudding user response:
Create an IAM policy { "Version": "2012-10-17", "Statement": [ { "Sid": "KMSKeypermission", "Effect": "Allow", "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": [ "arn:aws:kms:::" ] } ] }
And attach this policy to the role
Also add the the role to key policy if you have created the KMS You can find the KMS key Policy by navigating to KMS --> Customer managed keys