AWS KMS 密钥策略 - 如何添加委托人
AWS KMS Key Policy - How to add Principal
我一直在尝试通过 aws kms cli 将委托人动态添加到 AWS KMS 策略声明中,我真的很认真 AWS 文档是有史以来最糟糕的文档之一!
有人知道如何以编程方式(使用 aws kms 或任何其他替代方法)将委托人添加到下面的政策声明中吗?
{
"Version": "2012-10-17",
"Id": "key-consolepolicy-3",
"Statement": [
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {
"AWS": [
// I need to programatically add the ARN role here
]
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": [
// I need to programatically add the ARN role here
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": [
// I need to programatically add the ARN role here
]
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
]
}
无法使用 CLI 将新主体添加到资源策略。
但是,您可以使用 put-key-policy
命令将密钥策略替换为新版本。
动态添加委托人的最佳方式是利用代码生成技术生成密钥策略。我通常在 Jinja2 中使用 Python。
可以使用以下命令将生成的策略附加到 CMK:
aws kms put-key-policy \
--policy-name default \
--key-id <kms-key-id> \
--policy file://new_key_policy.json
我一直在尝试通过 aws kms cli 将委托人动态添加到 AWS KMS 策略声明中,我真的很认真 AWS 文档是有史以来最糟糕的文档之一!
有人知道如何以编程方式(使用 aws kms 或任何其他替代方法)将委托人添加到下面的政策声明中吗?
{
"Version": "2012-10-17",
"Id": "key-consolepolicy-3",
"Statement": [
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {
"AWS": [
// I need to programatically add the ARN role here
]
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": [
// I need to programatically add the ARN role here
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": [
// I need to programatically add the ARN role here
]
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
]
}
无法使用 CLI 将新主体添加到资源策略。
但是,您可以使用 put-key-policy
命令将密钥策略替换为新版本。
动态添加委托人的最佳方式是利用代码生成技术生成密钥策略。我通常在 Jinja2 中使用 Python。
可以使用以下命令将生成的策略附加到 CMK:
aws kms put-key-policy \
--policy-name default \
--key-id <kms-key-id> \
--policy file://new_key_policy.json