使用 Terraform for AWS 时出现错误:"The new key policy will not allow you to update the key policy in the future."
Getting the error in using Terraform for AWS: "The new key policy will not allow you to update the key policy in the future."
运行 terraform for creatind AWS KMS 中的关键策略我收到错误:
- aws_kms_key.dyn_logs_server_side_cmk: MalformedPolicyDocumentException: 新的密钥策略将不允许您在未来更新密钥策略。
状态码:400,请求id:e34567896780780
关于这个问题的帖子很多,但都没有帮助。
所以,我的 kms.tf 文件如下:
provider "aws" {
access_key = "${var.aws_access_key}"
secret_key = "${var.aws_secret_key}"
region = "${var.aws_region}"
}
resource "aws_kms_key" "dyn_logs_server_side_cmk" {
description = "dyn-logs-sse-cmk-${var.environment}"
enable_key_rotation = "true"
policy = <<EOF
{
"Version":"2015-11-17",
"Statement":[
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::${var.account_id}:root"},
"Action": "kms:*",
"Resource": "*"
}
]
}EOF
}
这就是我在
之后的输出中看到的内容
地形应用"dyn-vpc.plan"
aws_kms_key.dyn_logs_server_side_cmk: Creating...
arn: "" => "<computed>"
description: "" => "dyn-logs-server-dyn"
enable_key_rotation: "" => "true"
is_enabled: "" => "true"
key_id: "" => "<computed>"
key_usage: "" => "<computed>"
policy: "" => "{\n \"Version\":\"2015-11-17\",\n \"Statement\":[\n {\n \"Sid\": \"Enable IAM User Permissions\",\n \"Effect\": \"Allow\",\n
\"Principal\": {\"AWS\": \"arn:aws:iam::12345678901234:root\"},\n \"Action\": \"kms:*\",\n \"Resource\": \"*\"\n }\n ]\n}\n"
aws_kms_key.dyn_logs_server_side_cmk: Still creating... (10s elapsed)
aws_kms_key.dyn_logs_server_side_cmk: Still creating... (20s elapsed)
Error applying plan:
1 error(s) occurred:
* aws_kms_key.dyn_logs_server_side_cmk: 1 error(s) occurred:
* aws_kms_key.dyn_logs_server_side_cmk:
MalformedPolicyDocumentException: The new key policy will not allow
you to update the key policy in the future.
基本上,@ydaetskcoR 的评论是正确的。策略中的 account_id 不正确,这导致了错误。 MalformedPolicyDocumentException 并不能真正提供信息,需要找到真正的原因
在我的例子中,帐户 ID 是正确的,但创建密钥的用户未包含在 Enable IAM User Permissions
语句中。我不得不这样做
resource "aws_kms_key" "dyn_logs_server_side_cmk" {
description = "dyn-logs-sse-cmk-${var.environment}"
enable_key_rotation = "true"
policy = <<EOF
{
"Version":"2015-11-17",
"Statement":[
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::${var.account_id}:root",
"arn:aws:iam::${var.account_id}:user/system/terraform-user"
]
},
"Action": "kms:*",
"Resource": "*"
}
]
}EOF
}
运行 terraform for creatind AWS KMS 中的关键策略我收到错误:
- aws_kms_key.dyn_logs_server_side_cmk: MalformedPolicyDocumentException: 新的密钥策略将不允许您在未来更新密钥策略。 状态码:400,请求id:e34567896780780
关于这个问题的帖子很多,但都没有帮助。 所以,我的 kms.tf 文件如下:
provider "aws" {
access_key = "${var.aws_access_key}"
secret_key = "${var.aws_secret_key}"
region = "${var.aws_region}"
}
resource "aws_kms_key" "dyn_logs_server_side_cmk" {
description = "dyn-logs-sse-cmk-${var.environment}"
enable_key_rotation = "true"
policy = <<EOF
{
"Version":"2015-11-17",
"Statement":[
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::${var.account_id}:root"},
"Action": "kms:*",
"Resource": "*"
}
]
}EOF
}
这就是我在
之后的输出中看到的内容地形应用"dyn-vpc.plan"
aws_kms_key.dyn_logs_server_side_cmk: Creating...
arn: "" => "<computed>"
description: "" => "dyn-logs-server-dyn"
enable_key_rotation: "" => "true"
is_enabled: "" => "true"
key_id: "" => "<computed>"
key_usage: "" => "<computed>"
policy: "" => "{\n \"Version\":\"2015-11-17\",\n \"Statement\":[\n {\n \"Sid\": \"Enable IAM User Permissions\",\n \"Effect\": \"Allow\",\n
\"Principal\": {\"AWS\": \"arn:aws:iam::12345678901234:root\"},\n \"Action\": \"kms:*\",\n \"Resource\": \"*\"\n }\n ]\n}\n"
aws_kms_key.dyn_logs_server_side_cmk: Still creating... (10s elapsed)
aws_kms_key.dyn_logs_server_side_cmk: Still creating... (20s elapsed)
Error applying plan:
1 error(s) occurred:
* aws_kms_key.dyn_logs_server_side_cmk: 1 error(s) occurred:
* aws_kms_key.dyn_logs_server_side_cmk:
MalformedPolicyDocumentException: The new key policy will not allow
you to update the key policy in the future.
基本上,@ydaetskcoR 的评论是正确的。策略中的 account_id 不正确,这导致了错误。 MalformedPolicyDocumentException 并不能真正提供信息,需要找到真正的原因
在我的例子中,帐户 ID 是正确的,但创建密钥的用户未包含在 Enable IAM User Permissions
语句中。我不得不这样做
resource "aws_kms_key" "dyn_logs_server_side_cmk" {
description = "dyn-logs-sse-cmk-${var.environment}"
enable_key_rotation = "true"
policy = <<EOF
{
"Version":"2015-11-17",
"Statement":[
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::${var.account_id}:root",
"arn:aws:iam::${var.account_id}:user/system/terraform-user"
]
},
"Action": "kms:*",
"Resource": "*"
}
]
}EOF
}