我尝试通过笔记本电脑上的 API 获取 AWS Secret Manager 密钥,我得到:
botocore.exceptions.ClientError: An error occurred (AccessDeniedException) when calling
the GetSecretValue operation: Access to KMS is not allowed
我在 AWS 上有管理员帐户,所以我应该能够访问 KMS 还是我弄错了?
如果您无权访问用于加密密钥管理器的 KMS 密钥,那么您将收到此错误。
确保使用以下内容更新您正在使用的角色/配置文件的政策,
{
"Sid": "Allow access to KMS",
"Effect": "Allow",
"Principal": {
"AWS": [
"*"
]
},
"Action": [
"kms:GetParametersForImport",
"kms:DescribeCustomKeyStores",
"kms:ListKeys",
"kms:GetPublicKey",
"kms:ListKeyPolicies",
"kms:ListRetirableGrants",
"kms:GetKeyRotationStatus",
"kms:ListAliases",
"kms:GetKeyPolicy",
"kms:DescribeKey",
"kms:ListResourceTags",
"kms:ListGrants"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:CallerAccount": "<account-number>",
"kms:ViaService": "secretsmanager.<your-region>.amazonaws.com"
}
}
}