代码之家  ›  专栏  ›  技术社区  ›  mat

无法将KMS授权分配给AWS中的角色

aws-policies aws-kms access-control amazon-iam amazon-web-services
  •  0
  • mat  · 技术社区  · 5 年前

    我有一个KMS加密密钥和两个角色:一个 键用户

    以下是我正在做的: 

    $ aws kms create-key
{
    "KeyMetadata": {
        "AWSAccountId": "1234567890",
        "KeyId": "99999999-9999-9999-9999-999999999999",
        "Arn": "arn:aws:kms:eu-north-1:1234567890:key/99999999-9999-9999-9999-999999999999",
        "CreationDate": 1583827994.922,
        "Enabled": true,
        "Description": "",
        "KeyUsage": "ENCRYPT_DECRYPT",
        "KeyState": "Enabled",
        "Origin": "AWS_KMS",
        "KeyManager": "CUSTOMER",
        "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
        "EncryptionAlgorithms": [
            "SYMMETRIC_DEFAULT"
        ]
    }
}

$ cat /tmp/kp.json 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "KeyAdmin",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::1234567890:role/keyadmin-role"
            },
            "Action": "kms:CreateGrant",
            "Resource": "*"
        },
        {
            "Sid": "KMS account admin access",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::1234567890:root"
            },
            "Action": "kms:*",
            "Resource": "*"
        }
    ]
}

$ aws kms put-key-policy --key-id 99999999-9999-9999-9999-999999999999 --policy-name default --policy file:///tmp/kp.json

$ aws --profile keyadmin-role kms create-grant --key-id 99999999-9999-9999-9999-999999999999 --grantee-principal awn:aws:iam:::1234567890/role/keyuser-role --operations Encrypt Decrypt
{
    "GrantToken": "AQpANGJiNDRhMjVhNGRmNjY0MDBjYTU2YWNlOTkyNWVjNDBkNmFlMDA1Nzc2MmEzMjFkZjk1N2Q2ODc1NzU2ZDYxMiKpAgEBAgB4S7RKJaTfZkAMpWrOmSXsQNauAFd2KjId-VfWh1dW1hIAAAEAMIH9BgkqhkiG9w0BBwagge8wgewCAQAwgeYGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQML6vpVnNolKHIUz9eAgEQgIG4WcppsyTfo4BBKLvV02Wz1K6LlxpNXhhEZVFlCnTzO3Lsat5LBwtlCilPxpcW5N7f8ucjfi_AiH5VYM50_nNqGF1rH5GgzZoDXn76salNvzxF9YoPP3iWiH-NQ7O695kv0svhdONpfrk8nNCBvOeQbQDj9sLCUGbOI3Di51YKKzb9TZd_hwRxWcniAnYphqQkpyYIKttwHmsftZaODzEM64Rj_hU1_bexRwzPW8E75wnjrS_vNNXCHCog5DA2gg4zsbNyECk3qsGQk8yESJzwsKT_lP6Cf8nqrps",
    "GrantId": "e43036820e33b1b372102937aac19093cc84489cf0b0a4ff94fe827fc9eaae9b"
}
$ aws kms list-grants --key-id 99999999-9999-9999-9999-999999999999
{
    "Grants": [
        {
            "KeyId": "arn:aws:kms:eu-north-1:1234567890:key/99999999-9999-9999-9999-999999999999",
            "GrantId": "e43036820e33b1b372102937aac19093cc84489cf0b0a4ff94fe827fc9eaae9b",
            "Name": "",
            "CreationDate": 1583828859.0,
            "GranteePrincipal": "awn:aws:iam:::1234567890/role/keyuser-role",
            "IssuingAccount": "arn:aws:iam::1234567890:root",
            "Operations": [
                "Decrypt",
                "Encrypt"
            ]
        }
    ]
}
$ aws  --profile keyuser-role kms encrypt --key-id 99999999-9999-9999-9999-999999999999 --plaintext "foo"

An error occurred (AccessDeniedException) when calling the Encrypt operation: User: arn:aws:sts::1234567890:assumed-role/keyuser-role/botocore-session-1583827952 is not authorized to perform: kms:Encrypt on resource: arn:aws:kms:eu-north-1:1234567890:key/99999999-9999-9999-9999-999999999999

$ aws  --profile keyuser-role kms encrypt --key-id 99999999-9999-9999-9999-999999999999 --plaintext "foo" --grant-tokens "AQpANGJiNDRhMjVhNGRmNjY0MDBjYTU2YWNlOTkyNWVjNDBkNmFlMDA1Nzc2MmEzMjFkZjk1N2Q2ODc1NzU2ZDYxMiKpAgEBAgB4S7RKJaTfZkAMpWrOmSXsQNauAFd2KjId-VfWh1dW1hIAAAEAMIH9BgkqhkiG9w0BBwagge8wgewCAQAwgeYGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQML6vpVnNolKHIUz9eAgEQgIG4WcppsyTfo4BBKLvV02Wz1K6LlxpNXhhEZVFlCnTzO3Lsat5LBwtlCilPxpcW5N7f8ucjfi_AiH5VYM50_nNqGF1rH5GgzZoDXn76salNvzxF9YoPP3iWiH-NQ7O695kv0svhdONpfrk8nNCBvOeQbQDj9sLCUGbOI3Di51YKKzb9TZd_hwRxWcniAnYphqQkpyYIKttwHmsftZaODzEM64Rj_hU1_bexRwzPW8E75wnjrS_vNNXCHCog5DA2gg4zsbNyECk3qsGQk8yESJzwsKT_lP6Cf8nqrps"

An error occurred (AccessDeniedException) when calling the Encrypt operation: User: arn:aws:sts::1234567890:assumed-role/keyuser-role/botocore-session-1583827952 is not authorized to perform: kms:Encrypt on resource: arn:aws:kms:eu-north-1:1234567890:key/99999999-9999-9999-9999-999999999999

$ aws  --profile keyuser-role sts get-caller-identity
{
    "UserId": "AROA2AD3X6CJC6MODMUZP:botocore-session-1583827952",
    "Account": "1234567890",
    "Arn": "arn:aws:sts::1234567890:assumed-role/keyuser-role/botocore-session-1583827952"
}

    更新

    角色没有附加任何IAM策略。

    0 回复  |  直到 5 年前
        1
  •  1
  •   mat    4 年前

    我犯了一个愚蠢的错误 grantee-principal create-grant 

    awn:aws:iam:::1234567890/role/keyuser-role

    具有 

    arn:aws:iam::1234567890:role/keyuser-role

    一切正常。

    AWS forum 幸运地指出了错误。

        2
  •  -1
  •   Tres' Bailey    5 年前

    如果没有看到为KeyUser角色定义的策略,就很难确定,但我相信您的问题是该角色可能没有为其定义所需的KMS操作。

    AWS docs for defining KMS access to roles 描述如何定义IAM角色 kms:Encrypt KMS键上的操作。如果IAM角色尚未定义这些操作,则在尝试访问KMS密钥的授权之前,您将被阻止。 

    {
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": [
      "kms:Encrypt",
      "kms:Decrypt"
    ],
    "Resource": [
      "arn:aws:kms:eu-north-1:1234567890:key/99999999-9999-9999-9999-999999999999"
    ]
  }
}
    推荐文章
    Anna Berezko  ·  AWS匹配不支持的TLD域名和S3 bucket静态网站
    1 年前
    R0bert2  ·  Ansible-使用with_项创建列表
    2 年前
    renzCNFT  ·  与s3相比,workdocs有什么优势
    2 年前
    Eva  ·  Github与AWS codecommit镜像和同步的操作
    2 年前
    Heritage Squad  ·  如何使节点组模块中的每个实例都使用特定的安全组?
    2 年前
    Christian Townsend  ·  如何从Terraform中的ElastiCache获取cache_节点地址?
    2 年前
    Hasham  ·  如何将多个本地文件上载到s3中的一个文件
    2 年前
    shesupplypi  ·  如何将一个应用程序或服务的无服务器输出引用到另一个应用程序或服务?
    2 年前
    sebas flores  ·  S3 URL-使用python下载
    2 年前
    Ibrahim Patel  ·  AWS CloudWatch Error“尝试获取图形数据时出错。”
    2 年前
    关于   移动版
    代码之家 - 一站式码农服务社区
    沪ICP备11025650号