Ton*_*ott 5 amazon-web-services aws-cloudformation
我正在尝试创建 AWS KMS 密钥策略,但在尝试让 Cloudformation 接受密钥策略时遇到了困扰。我能够找到和阅读的所有内容都表明此策略应该有效,并且运行时语法正确,但返回MalformedPolicyDocumentExceptionnull (服务:AWSKMS;状态代码:400;
还有其他人遇到过这个问题吗?如果有的话,我对如何解决这些错误有什么想法或建议吗?我一直被困在这个问题上,并用我的头撞,看不到我错过了什么,我的谷歌福让我失望。
代码片段:
SnowflakeProdKMS:
Type: AWS::KMS::Key
Properties:
Description: KMS key used by Snowflake to encrypt/decrypt data stored in s3
Enabled: True
EnableKeyRotation: False
KeyPolicy:
Version: 2012-10-17
Id: key-default-1
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS:
- !Sub arn:aws:iam::${AWS::AccountId}:root
Action:
- kms:*
Resource: '*'
- Sid: Enable AWSAdminRole to have full permissions to KMS key
Effect: Allow
Principal:
AWS:
- !Sub arn:aws:iam::${AWS::AccountId}:/role/AWSAdminRole
Action: kms:*
Resource: '*'
- Sid: Allow use of the key by other roles
Effect: Allow
Principal:
AWS:
- !Sub arn:aws:iam::${AWS::AccountId}:role/AWSAdminRole
# - !Sub arn:aws:iam::${AWS::AccountId}:role/SnowflakeAccessRole
Action:
- kms:Encrypt
- kms:Decrypt
- kms:ReEncrypt
- kms:GenerateDataKey
- kms:DescribeKey
Resource: '*'
- Sid: Allow attachment of persistent resources
Effect: Allow
Principal:
AWS:
- !Sub arn:aws:iam::${AWS::AccountId}:role/AWSAdminRole
# - !Sub arn:aws:iam::${AWS::AccountId}:role/SnowflakeAccessRole
- !Sub arn:aws:iam::${AWS::AccountId}:root
Action:
- kms:CreateGrant
- kms:ListGrants
- kms:RevokeGrant
Resource: '*'
Condition:
Bool:
- kms:GrantIsForAWSResource: 'true'
经过多次尝试和错误并与其他合作伙伴联系后,我找到了上述问题的解决方案。
上面代码片段的条件不正确,应采用如下格式:
Condition:
Bool:
"kms:GrantIsForAWSResource": true
一旦更改为此政策,就没有问题了。
| 归档时间: |
|
| 查看次数: |
2409 次 |
| 最近记录: |