amazon-web-services - 管理员无法在 AWS KMS 中加密/解密

Question

我在 AWS 中使用密钥管理服务 (KMS)，目前正在设置密钥策略。

我创建了两个角色KmsUser和KmsAdmin，并将以下密钥策略附加到我的 CMK：

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "KMS KeyAdmin access",
      "Effect": "Allow",
      "Principal": {"AWS": [
          "arn:aws:iam::1234567890:role/KmsAdmin",
      "arn:aws:iam::1234567890:user/myadmin"
      ]},
      "Action": [
        "kms:Create*",
        "kms:Describe*",
        "kms:Enable*",
        "kms:List*",
        "kms:Put*",
        "kms:Update*",
        "kms:Revoke*",
        "kms:Disable*",
        "kms:Get*",
        "kms:Delete*",
        "kms:TagResource",
        "kms:UntagResource",
        "kms:ScheduleKeyDeletion",
        "kms:CancelKeyDeletion"
      ],
    "Resource": "*"
    },
    {
      "Sid": "KMS KeyUser access",
      "Effect": "Allow",
      "Principal": {"AWS": [
          "arn:aws:iam::1234567890:role/KmsUser"
      ]},
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
      ],
      "Resource": "*"
    }
  ]
}

问题是，现在如果我尝试将我的密钥用作myadmin用户（附加了AdministratorAccess策略），我会在 CLI 中收到错误消息：

$ aws kms encrypt --key-id "alias/test-key" --plaintext fileb:///tmp/plaintext.dat

An error occurred (AccessDeniedException) when calling the Encrypt operation: User: arn:aws:iam::1234567890:user/myadmin is not authorized to perform: kms:Encrypt on resource: arn:aws:kms:eu-north-1:1234567890:key/99999999-9999-9999-9999-99999999999

特别奇怪的是，IAM 策略模拟器告诉我一切都应该按预期工作：

如果我手动将myadmin用户添加为密钥用户策略的主体，则一切正常。

Answer 1

您需要在密钥策略中添加这样的语句：

        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::1234567890:root"
            },
            "Action": "kms:*",
            "Resource": "*"
        }

这允许账户有权访问密钥，这是启用 IAM 对其的访问权限所必需的。

Answer 2

如果您正在使用创建 KMS 构造，请AWS CDK确保 trustAccountIdentities将true. TypeScript 中的示例

const passwordEncryptionKey = new kms.Key(this, 'MyKey', {
  enabled: true,
  trustAccountIdentities: true,
});

文档在这里