D. *_*ook 6 amazon-ebs amazon-web-services autoscaling aws-kms
我正在尝试使用 AWS 中的 Auto Scaling 组来创建和管理从具有加密快照的 AMI 创建的实例,这些快照已由不同 AWS 账户拥有的 CMK 加密。
我不断收到错误“Client.InternalError:启动时客户端错误”。根据https://docs.aws.amazon.com/autoscaling/ec2/userguide/ts-as-instancelaunchfailure.html#ts-as-instancelaunchfailure-12上的场景 2 ,我需要使用Auto Scaling 组服务相关角色作为被授权者主体。
我尝试遵循 AWS 文档和https://forums.aws.amazon.com/thread.jspa?threadID=277523 中的指南来设置授权。
但是,我不断收到 AccessDeniedException ,指出我的用户无权在 CMK 上执行 kms:CreateGrant。
我觉得我已经完美地遵循了说明,但它不起作用。我希望有人能够提供一些见解。
I chatted with an AWS employee who ran into the same problem until he re-read the forum post. The key line in Case 2 Step 4 is "The kms:GrantIsForAWSResource condition is not included to allow an IAM user or role in account 111122223333 to create the grant in the next step.".
In other words, you need to remove this condition from the default key policy for a customer managed CMK.
The instructions could've made that requirement much more explicit, but technically it's there and it resolves the problem.
Edit: To clarify, I'm going to include the default and amended JSON below.
The following is the default key policy as shown at https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
{
"Version": "2012-10-17",
"Id": "key-consolepolicy-2",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::111122223333:root"},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {"AWS": [
"arn:aws:iam::111122223333:user/KMSAdminUser",
"arn:aws:iam::111122223333:role/KMSAdminRole"
]},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {"AWS": [
"arn:aws:iam::111122223333:user/KMSUser",
"arn:aws:iam::111122223333:role/KMSRole",
"arn:aws:iam::444455556666:root"
]},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {"AWS": [
"arn:aws:iam::111122223333:user/KMSUser",
"arn:aws:iam::111122223333:role/KMSRole",
"arn:aws:iam::444455556666:root"
]},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {"Bool": {"kms:GrantIsForAWSResource": "true"}}
}
]
}
The key is to remove the Condition for "kms:GrantIsForAWSResource" as below.
{
"Version": "2012-10-17",
"Id": "key-consolepolicy-2",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::111122223333:root"},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {"AWS": [
"arn:aws:iam::111122223333:user/KMSAdminUser",
"arn:aws:iam::111122223333:role/KMSAdminRole"
]},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {"AWS": [
"arn:aws:iam::111122223333:user/KMSUser",
"arn:aws:iam::111122223333:role/KMSRole",
"arn:aws:iam::444455556666:root"
]},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {"AWS": [
"arn:aws:iam::111122223333:user/KMSUser",
"arn:aws:iam::111122223333:role/KMSRole",
"arn:aws:iam::444455556666:root"
]},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*"
}
]
}
| 归档时间: |
|
| 查看次数: |
2908 次 |
| 最近记录: |