我是 AWS 的新手,我已经开发了一个 Lambda 函数来使用 KmsClient 进行加密和解密。
这就是我使用aws reagion构建KmsClient的方式,
final KmsClient kmsClient = KmsClient.builder().region(awsRegion).build();
我正在使用 Envelope Encryption 进行加密,所以我使用 GenerateDataKeyRequest 为纯文本生成和密钥,
GenerateDataKeyRequest generateDataKeyRequest = GenerateDataKeyRequest.builder().keyId(arnKey).encryptionContext(encryptionContext).
keySpec(DataKeySpec.AES_256).build();
GenerateDataKeyResponse generateDataKeyResponse = kmsClient.generateDataKey(generateDataKeyRequest);
在上面的行中,我遇到了以下异常:
software.amazon.awssdk.core.exception.SdkClientException: Unable to load credentials from system settings. Access key must be specified either via environment variable (AWS_ACCESS_KEY_ID) or system property (aws.accessKeyId).
我试图通过设置环境变量来解决这个问题,但它仍然不起作用。
我的 kms 密钥策略如下所示:
{
"Id": "key-consolepolicy-3",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::xxxxxxxxxxxxxx:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantListBasedDecryptARN-role-yq6d97v7",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantListBasedEncryptARN-role-y6nnbdp3",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/EnryptLambdaTest-role-1bz9t33s",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantListBasedEncryptDecryptARN13-role-fflntszk",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantBasedDecrypt-role-w176vn3b",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/lambda_for_apigateway-role-rm37oxr6",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/DecryptLmabdaTest-role-zmggdsbr",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/suchi13role"
]
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantListBasedEncryptARN-role-y6nnbdp3",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantBasedEncryptDecryptARNEnvironmentVariable-role-2pwqzde3",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantListBasedEncryptDecryptARN-role-4qmx465k",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/EnryptLambdaTest-role-1bz9t33s",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantListBasedEncryptDecryptARN13-role-fflntszk",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantBasedDecrypt-role-w176vn3b",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/lambda_for_apigateway-role-rm37oxr6",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantListBasedEncryptDecryptARN-role-5p55uuig",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/DecryptLmabdaTest-role-zmggdsbr",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/suchi13role",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantListBasedEncryptARNb1808271-role-dh6l7e9p",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/EncryptDecrptFunction-role-0ouhuwpj",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantListBasedEncryptDecryptARN-role-oje1caln",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantBaseEncryptDecryptARN-role-ageva6cf",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantListBasedDecryptARN-role-yq6d97v7",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/EnvelopEncryptDecryptTenantBased-role-js8d5hln",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantListBasedEncryptDecryptARN-role-eowajg5x",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/EnvelopeBasedEncrypt-role-hgv79ytd",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantBasedEnvelopEncryptDecrypt-role-n4nn6tdj",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/EnvelopeBasedEncrypt-role-7jewd19s"
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantListBasedEncryptARN-role-y6nnbdp3",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantBasedEncryptDecryptARNEnvironmentVariable-role-2pwqzde3",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantListBasedEncryptDecryptARN-role-4qmx465k",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/EnryptLambdaTest-role-1bz9t33s",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantListBasedEncryptDecryptARN13-role-fflntszk",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantBasedDecrypt-role-w176vn3b",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/lambda_for_apigateway-role-rm37oxr6",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantListBasedEncryptDecryptARN-role-5p55uuig",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/DecryptLmabdaTest-role-zmggdsbr",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/suchi13role",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantListBasedEncryptARNb1808271-role-dh6l7e9p",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/EncryptDecrptFunction-role-0ouhuwpj",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantListBasedEncryptDecryptARN-role-oje1caln",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantBaseEncryptDecryptARN-role-ageva6cf",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantListBasedDecryptARN-role-yq6d97v7",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/EnvelopEncryptDecryptTenantBased-role-js8d5hln",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantListBasedEncryptDecryptARN-role-eowajg5x",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/EnvelopeBasedEncrypt-role-hgv79ytd",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantBasedEnvelopEncryptDecrypt-role-n4nn6tdj",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/EnvelopeBasedEncrypt-role-7jewd19s"
]
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
]
}
任何帮助将非常感激:
在此先感谢,普拉迪普