我不断收到此错误,但我似乎无法发现我的政策有什么问题。有人可以帮忙吗?这是我的 aws_kms_key_policy?
resource "aws_kms_key_policy" "kms_key" {
key_id = aws_kms_key.kms_key.key_id
policy = jsonencode({
Id = "kms-key-policy",
Statement = [
{
Effect = "Allow",
Principal = {
Service = "states.amazonaws.com"
},
Action = [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt",
"kms:GenerateDataKey",
"kms:DescribeKey",
"kms:PutKeyPolicy",
"kms:CreateGrant"
],
Resource = aws_kms_key.kms_key.arn
}
]
})
}
我似乎无法发现我的政策有什么问题。谢谢
此声明仅允许委托人
states.amazonaws.com
再次使用密钥执行任何操作。它会阻止您(密钥的所有者)将来修改密钥。这就是为什么它拒绝这项政策。
我认为您还希望允许用户从您的 AWS 账户更新策略。目前无法更新策略,因为您只允许 AWS 服务执行某些操作。为了解决这个问题,我会添加类似的内容:
resource "aws_kms_key_policy" "kms_key" {
key_id = aws_kms_key.kms_key.key_id
policy = jsonencode({
Id = "kms-key-policy",
Version = "2012-10-17"
Statement = [
{
Sid = "Allow administration of the key",
Effect = "Allow",
Principal = {
"AWS" = "arn:aws:iam::<your AWS account ID>:user/<user name>"
},
Action = [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
Resource = "*"
},
{
Effect = "Allow",
Principal = {
Service = "states.amazonaws.com"
},
Action = [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt",
"kms:GenerateDataKey",
"kms:DescribeKey",
"kms:CreateGrant"
],
Resource = ["*"]
}
]
})
}
这将仅允许您指定的用户管理 KMS 密钥。如果您想允许帐户 root 用户管理密钥,您可以使用以下命令:
Principal = {
"AWS" = "arn:aws:iam::<your AWS account ID>:root"
}
如果您有不同的身份需要管理密钥,您可以在 re:Post 文章中查看更多示例。