AWS KMS 密钥策略 - 如何添加委托人

AWS KMS Key Policy - How to add Principal

我一直在尝试通过 aws kms cli 将委托人动态添加到 AWS KMS 策略声明中,我真的很认真 AWS 文档是有史以来最糟糕的文档之一!

有人知道如何以编程方式(使用 aws kms 或任何其他替代方法)将委托人添加到下面的政策声明中吗?

{
    "Version": "2012-10-17",
    "Id": "key-consolepolicy-3",
    "Statement": [
        {
            "Sid": "Allow access for Key Administrators",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    // I need to programatically add the ARN role here
                ]
            },
            "Action": [
                "kms:Create*",
                "kms:Describe*",
                "kms:Enable*",
                "kms:List*",
                "kms:Put*",
                "kms:Update*",
                "kms:Revoke*",
                "kms:Disable*",
                "kms:Get*",
                "kms:Delete*",
                "kms:TagResource",
                "kms:UntagResource",
                "kms:ScheduleKeyDeletion",
                "kms:CancelKeyDeletion"
            ],
            "Resource": "*"
        },
        {
            "Sid": "Allow use of the key",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    // I need to programatically add the ARN role here
                ]
            },
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": "*"
        },
        {
            "Sid": "Allow attachment of persistent resources",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    // I need to programatically add the ARN role here
                ]
            },
            "Action": [
                "kms:CreateGrant",
                "kms:ListGrants",
                "kms:RevokeGrant"
            ],
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "kms:GrantIsForAWSResource": "true"
                }
            }
        }
    ]
}

无法使用 CLI 将新主体添加到资源策略。 但是,您可以使用 put-key-policy 命令将密钥策略替换为新版本。

动态添加委托人的最佳方式是利用代码生成技术生成密钥策略。我通常在 Jinja2 中使用 Python。

可以使用以下命令将生成的策略附加到 CMK:

aws kms put-key-policy \
    --policy-name default \
    --key-id <kms-key-id> \
    --policy file://new_key_policy.json