{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 太酷不给撩 的问题《How do I get AWS cross-account KMS keys to work?》','https://www.manongdao.com/q-730808.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I'm trying to set up cross-account access to allow for an external account to use my KMS key to decrypt data from an S3 bucket. I have the key, policies, roles set up with what I believe is the correct grants but I can't describe the key from the external account. Hoping to get some input as to what I'm doing wrong.
Account 111: Key with policy grant to root of external account (999)
{
"Version": "2012-10-17",
"Id": "key-consolepolicy-3",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::999:root"
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::999:root"
]
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
]
}
Role in account 999 with the policy attached granting access to key from 111:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"kms:RevokeGrant",
"kms:CreateGrant",
"kms:ListGrants"
],
"Resource": "arn:aws:kms:us-west-2:111:key/abc-def"
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": true
}
}
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:DescribeKey"
],
"Resource": "arn:aws:kms:us-west-2:111:key/abc-def"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"kms:GenerateDataKey",
"kms:ReEncryptTo",
"kms:ReEncryptFrom"
],
"Resource": "*"
}
]
}
Yet when I assume the role in 999 using aws-shell:
aws> kms describe-key --key-id=abc-def
An error occurred (NotFoundException) when calling the DescribeKey operation: Key 'arn:aws:kms:us-west-2:999:key/abc-def' does not exist
Pay special attention to the key policy conditions if everything seems to be normal. For ex a policy like below seems to be giving access to AccountA to use the key.
However if you check the condition more carefully you will see the use of the Key is restricted to certain services with "viaService" condition.
More info AWS Doc Reference.
In this case the key is restricted to ec2 and auto-scaling. If you execute "aws kms describe-key" from and ec2 instance you would be able to see a response coming, but you wouldn't be able to use it for other services like AWS Secret Manager etc. In other words the following command will fail from the same ec2 instance.
Your key, role and policies are set up correctly. When you call
describe-keyon a Customer Master Key (CMK) that is on a different AWS account, you have to specify the key ARN or alias ARN in the value of thekey-idparameter.From the official docs:
That said, if you do something like below, it will work: