创建 AWS KMS 密钥时出现 MalformedPolicyDocumentException
MalformedPolicyDocumentException when creating AWS KMS Key
我正在尝试使用 Python 3.x-
中的 kms_client 在 KMS 中创建密钥
import boto3
kms_client = boto3.client('kms')
policy = """
{
"Sid": "Allowing access",
"Effect": "Allow",
"Principal": {"AWS": [
"arn:aws:iam::123456:user/sample-user",
"arn:aws:iam::123456:role/sample-role"
]},
"Action": "kms:*",
"Resource": "*"
}"""
# Creating client key
desc = "Key for testing"
response = kms_client.create_key(
Description=desc,
Policy=policy
)
但是当我 运行 它时,我遇到了 MalformedPolicyDocumentException 错误。
我已经尝试将 Principal 的值保持为 {"Fn::Join": ["", ["arn:aws:iam::", {"Ref": "AWS::123456"}, ":root"]]},但没有成功。
也尝试在创建密钥后使用put_key_policy命令,但它给出了同样的错误-
# Creating client key
desc = "Key for testing"
response = kms_client.create_key(
Description=desc
)
key_id = response['KeyMetadata']['KeyId']
# Adding policy to the created key
policy = """
{
"Version": "2019-5-31",
"Statement": [{
"Sid": "Allowing access",
"Effect": "Allow",
"Principal": {"AWS": [
"arn:aws:iam::123456:user/sample-user",
"arn:aws:iam::123456:role/sample-role"
]},
"Action": "kms:*",
"Resource": "*"
}]
}"""
response = kms_client.put_key_policy(
KeyId=key_id,
Policy=policy,
PolicyName='test'
)
这里有什么问题?
找到解决方案 - 显然,KMS 密钥策略需要特定的版本号。正确的版本应该是 2012-10-17.
import boto3
kms_client = boto3.client('kms')
policy = """
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "Allowing Access",
"Effect": "Allow",
"Principal": {"AWS": [
"arn:aws:iam::123456:user/sample-user",
"arn:aws:iam::123456:role/sample-role"
]},
"Action": "kms:*",
"Resource": "*"
}]
}"""
# Creating client key
desc = "Key for testing"
response = kms_client.create_key(
Description=desc,
Policy=policy
)
我正在尝试使用 Python 3.x-
中的kms_client 在 KMS 中创建密钥
import boto3
kms_client = boto3.client('kms')
policy = """
{
"Sid": "Allowing access",
"Effect": "Allow",
"Principal": {"AWS": [
"arn:aws:iam::123456:user/sample-user",
"arn:aws:iam::123456:role/sample-role"
]},
"Action": "kms:*",
"Resource": "*"
}"""
# Creating client key
desc = "Key for testing"
response = kms_client.create_key(
Description=desc,
Policy=policy
)
但是当我 运行 它时,我遇到了 MalformedPolicyDocumentException 错误。
我已经尝试将 Principal 的值保持为 {"Fn::Join": ["", ["arn:aws:iam::", {"Ref": "AWS::123456"}, ":root"]]},但没有成功。
也尝试在创建密钥后使用put_key_policy命令,但它给出了同样的错误-
# Creating client key
desc = "Key for testing"
response = kms_client.create_key(
Description=desc
)
key_id = response['KeyMetadata']['KeyId']
# Adding policy to the created key
policy = """
{
"Version": "2019-5-31",
"Statement": [{
"Sid": "Allowing access",
"Effect": "Allow",
"Principal": {"AWS": [
"arn:aws:iam::123456:user/sample-user",
"arn:aws:iam::123456:role/sample-role"
]},
"Action": "kms:*",
"Resource": "*"
}]
}"""
response = kms_client.put_key_policy(
KeyId=key_id,
Policy=policy,
PolicyName='test'
)
这里有什么问题?
找到解决方案 - 显然,KMS 密钥策略需要特定的版本号。正确的版本应该是 2012-10-17.
import boto3
kms_client = boto3.client('kms')
policy = """
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "Allowing Access",
"Effect": "Allow",
"Principal": {"AWS": [
"arn:aws:iam::123456:user/sample-user",
"arn:aws:iam::123456:role/sample-role"
]},
"Action": "kms:*",
"Resource": "*"
}]
}"""
# Creating client key
desc = "Key for testing"
response = kms_client.create_key(
Description=desc,
Policy=policy
)