1

我是 AWS 的新手,我已经开发了一个 Lambda 函数来使用 KmsClient 进行加密和解密。

这就是我使用aws reagion构建KmsClient的方式,

final KmsClient kmsClient = KmsClient.builder().region(awsRegion).build();

我正在使用 Envelope Encryption 进行加密,所以我使用 GenerateDataKeyRequest 为纯文本生成和密钥,

GenerateDataKeyRequest generateDataKeyRequest = GenerateDataKeyRequest.builder().keyId(arnKey).encryptionContext(encryptionContext).
keySpec(DataKeySpec.AES_256).build();
   
GenerateDataKeyResponse generateDataKeyResponse = kmsClient.generateDataKey(generateDataKeyRequest);

在上面的行中,我遇到了以下异常:

software.amazon.awssdk.core.exception.SdkClientException: Unable to load credentials from system settings. Access key must be specified either via environment variable (AWS_ACCESS_KEY_ID) or system property (aws.accessKeyId).

我试图通过设置环境变量来解决这个问题,但它仍然不起作用。

我的 kms 密钥策略如下所示:

    {
    "Id": "key-consolepolicy-3",
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::xxxxxxxxxxxxxx:root"
            },
            "Action": "kms:*",
            "Resource": "*"
        },
        {
            "Sid": "Allow access for Key Administrators",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantListBasedDecryptARN-role-yq6d97v7",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantListBasedEncryptARN-role-y6nnbdp3",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/EnryptLambdaTest-role-1bz9t33s",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantListBasedEncryptDecryptARN13-role-fflntszk",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantBasedDecrypt-role-w176vn3b",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/lambda_for_apigateway-role-rm37oxr6",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/DecryptLmabdaTest-role-zmggdsbr",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/suchi13role"
                ]
            },
            "Action": [
                "kms:Create*",
                "kms:Describe*",
                "kms:Enable*",
                "kms:List*",
                "kms:Put*",
                "kms:Update*",
                "kms:Revoke*",
                "kms:Disable*",
                "kms:Get*",
                "kms:Delete*",
                "kms:TagResource",
                "kms:UntagResource",
                "kms:ScheduleKeyDeletion",
                "kms:CancelKeyDeletion"
            ],
            "Resource": "*"
        },
        {
            "Sid": "Allow use of the key",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantListBasedEncryptARN-role-y6nnbdp3",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantBasedEncryptDecryptARNEnvironmentVariable-role-2pwqzde3",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantListBasedEncryptDecryptARN-role-4qmx465k",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/EnryptLambdaTest-role-1bz9t33s",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantListBasedEncryptDecryptARN13-role-fflntszk",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantBasedDecrypt-role-w176vn3b",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/lambda_for_apigateway-role-rm37oxr6",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantListBasedEncryptDecryptARN-role-5p55uuig",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/DecryptLmabdaTest-role-zmggdsbr",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/suchi13role",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantListBasedEncryptARNb1808271-role-dh6l7e9p",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/EncryptDecrptFunction-role-0ouhuwpj",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantListBasedEncryptDecryptARN-role-oje1caln",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantBaseEncryptDecryptARN-role-ageva6cf",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantListBasedDecryptARN-role-yq6d97v7",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/EnvelopEncryptDecryptTenantBased-role-js8d5hln",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantListBasedEncryptDecryptARN-role-eowajg5x",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/EnvelopeBasedEncrypt-role-hgv79ytd",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantBasedEnvelopEncryptDecrypt-role-n4nn6tdj",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/EnvelopeBasedEncrypt-role-7jewd19s"
                ]
            },
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": "*"
        },
        {
            "Sid": "Allow attachment of persistent resources",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantListBasedEncryptARN-role-y6nnbdp3",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantBasedEncryptDecryptARNEnvironmentVariable-role-2pwqzde3",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantListBasedEncryptDecryptARN-role-4qmx465k",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/EnryptLambdaTest-role-1bz9t33s",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantListBasedEncryptDecryptARN13-role-fflntszk",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantBasedDecrypt-role-w176vn3b",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/lambda_for_apigateway-role-rm37oxr6",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantListBasedEncryptDecryptARN-role-5p55uuig",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/DecryptLmabdaTest-role-zmggdsbr",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/suchi13role",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantListBasedEncryptARNb1808271-role-dh6l7e9p",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/EncryptDecrptFunction-role-0ouhuwpj",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantListBasedEncryptDecryptARN-role-oje1caln",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantBaseEncryptDecryptARN-role-ageva6cf",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantListBasedDecryptARN-role-yq6d97v7",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/EnvelopEncryptDecryptTenantBased-role-js8d5hln",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantListBasedEncryptDecryptARN-role-eowajg5x",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/EnvelopeBasedEncrypt-role-hgv79ytd",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantBasedEnvelopEncryptDecrypt-role-n4nn6tdj",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/EnvelopeBasedEncrypt-role-7jewd19s"
                ]
            },
            "Action": [
                "kms:CreateGrant",
                "kms:ListGrants",
                "kms:RevokeGrant"
            ],
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "kms:GrantIsForAWSResource": "true"
                }
            }
        }
    ]
}

任何帮助将非常感激:

在此先感谢,普拉迪普

4

1 回答 1

0

当您使用 Lambda 函数时,您应该使用 Lambda 函数 IAM 角色,而不是使用 IAM 密钥。

确保 Lambda 角色具有正确的 IAM 权限,包括 和 的GenerateDataKeyKMSDescribeKey权限Decrypt。亚马逊推荐的政策如下。

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": [
      "kms:DescribeKey",
      "kms:GenerateDataKey",
      "kms:Decrypt"
    ],
    "Resource": [
      "arn:aws:kms:*:111122223333:key/*"
    ]
  }
}

最后,如果您对这些权限有任何问题,请确保 KMS 密钥授予允许访问其密钥策略中的 IAM 角色。

于 2020-07-03T15:29:51.600 回答