无法将 KMS 授权分配给 AWS 中的角色
Cannot assign KMS grant to role in AWS
我在 KMS 中有一个加密密钥和两个角色:一个 KeyAdmin 角色应该被允许创建对 KeyUser 的授权然后应该能够 encrypt/decrypt 使用密钥的角色。
这是我正在做的事情:
$ aws kms create-key
{
"KeyMetadata": {
"AWSAccountId": "1234567890",
"KeyId": "99999999-9999-9999-9999-999999999999",
"Arn": "arn:aws:kms:eu-north-1:1234567890:key/99999999-9999-9999-9999-999999999999",
"CreationDate": 1583827994.922,
"Enabled": true,
"Description": "",
"KeyUsage": "ENCRYPT_DECRYPT",
"KeyState": "Enabled",
"Origin": "AWS_KMS",
"KeyManager": "CUSTOMER",
"CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
"EncryptionAlgorithms": [
"SYMMETRIC_DEFAULT"
]
}
}
$ cat /tmp/kp.json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "KeyAdmin",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::1234567890:role/keyadmin-role"
},
"Action": "kms:CreateGrant",
"Resource": "*"
},
{
"Sid": "KMS account admin access",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::1234567890:root"
},
"Action": "kms:*",
"Resource": "*"
}
]
}
$ aws kms put-key-policy --key-id 99999999-9999-9999-9999-999999999999 --policy-name default --policy file:///tmp/kp.json
$ aws --profile keyadmin-role kms create-grant --key-id 99999999-9999-9999-9999-999999999999 --grantee-principal awn:aws:iam:::1234567890/role/keyuser-role --operations Encrypt Decrypt
{
"GrantToken": "AQpANGJiNDRhMjVhNGRmNjY0MDBjYTU2YWNlOTkyNWVjNDBkNmFlMDA1Nzc2MmEzMjFkZjk1N2Q2ODc1NzU2ZDYxMiKpAgEBAgB4S7RKJaTfZkAMpWrOmSXsQNauAFd2KjId-VfWh1dW1hIAAAEAMIH9BgkqhkiG9w0BBwagge8wgewCAQAwgeYGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQML6vpVnNolKHIUz9eAgEQgIG4WcppsyTfo4BBKLvV02Wz1K6LlxpNXhhEZVFlCnTzO3Lsat5LBwtlCilPxpcW5N7f8ucjfi_AiH5VYM50_nNqGF1rH5GgzZoDXn76salNvzxF9YoPP3iWiH-NQ7O695kv0svhdONpfrk8nNCBvOeQbQDj9sLCUGbOI3Di51YKKzb9TZd_hwRxWcniAnYphqQkpyYIKttwHmsftZaODzEM64Rj_hU1_bexRwzPW8E75wnjrS_vNNXCHCog5DA2gg4zsbNyECk3qsGQk8yESJzwsKT_lP6Cf8nqrps",
"GrantId": "e43036820e33b1b372102937aac19093cc84489cf0b0a4ff94fe827fc9eaae9b"
}
$ aws kms list-grants --key-id 99999999-9999-9999-9999-999999999999
{
"Grants": [
{
"KeyId": "arn:aws:kms:eu-north-1:1234567890:key/99999999-9999-9999-9999-999999999999",
"GrantId": "e43036820e33b1b372102937aac19093cc84489cf0b0a4ff94fe827fc9eaae9b",
"Name": "",
"CreationDate": 1583828859.0,
"GranteePrincipal": "awn:aws:iam:::1234567890/role/keyuser-role",
"IssuingAccount": "arn:aws:iam::1234567890:root",
"Operations": [
"Decrypt",
"Encrypt"
]
}
]
}
$ aws --profile keyuser-role kms encrypt --key-id 99999999-9999-9999-9999-999999999999 --plaintext "foo"
An error occurred (AccessDeniedException) when calling the Encrypt operation: User: arn:aws:sts::1234567890:assumed-role/keyuser-role/botocore-session-1583827952 is not authorized to perform: kms:Encrypt on resource: arn:aws:kms:eu-north-1:1234567890:key/99999999-9999-9999-9999-999999999999
$ aws --profile keyuser-role kms encrypt --key-id 99999999-9999-9999-9999-999999999999 --plaintext "foo" --grant-tokens "AQpANGJiNDRhMjVhNGRmNjY0MDBjYTU2YWNlOTkyNWVjNDBkNmFlMDA1Nzc2MmEzMjFkZjk1N2Q2ODc1NzU2ZDYxMiKpAgEBAgB4S7RKJaTfZkAMpWrOmSXsQNauAFd2KjId-VfWh1dW1hIAAAEAMIH9BgkqhkiG9w0BBwagge8wgewCAQAwgeYGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQML6vpVnNolKHIUz9eAgEQgIG4WcppsyTfo4BBKLvV02Wz1K6LlxpNXhhEZVFlCnTzO3Lsat5LBwtlCilPxpcW5N7f8ucjfi_AiH5VYM50_nNqGF1rH5GgzZoDXn76salNvzxF9YoPP3iWiH-NQ7O695kv0svhdONpfrk8nNCBvOeQbQDj9sLCUGbOI3Di51YKKzb9TZd_hwRxWcniAnYphqQkpyYIKttwHmsftZaODzEM64Rj_hU1_bexRwzPW8E75wnjrS_vNNXCHCog5DA2gg4zsbNyECk3qsGQk8yESJzwsKT_lP6Cf8nqrps"
An error occurred (AccessDeniedException) when calling the Encrypt operation: User: arn:aws:sts::1234567890:assumed-role/keyuser-role/botocore-session-1583827952 is not authorized to perform: kms:Encrypt on resource: arn:aws:kms:eu-north-1:1234567890:key/99999999-9999-9999-9999-999999999999
$ aws --profile keyuser-role sts get-caller-identity
{
"UserId": "AROA2AD3X6CJC6MODMUZP:botocore-session-1583827952",
"Account": "1234567890",
"Arn": "arn:aws:sts::1234567890:assumed-role/keyuser-role/botocore-session-1583827952"
}
为什么持有授权的角色无法访问密钥?
更新
角色没有附加任何 IAM 策略。
如果没有看到为 KeyUser 角色定义的策略,则很难确定,但我相信您的问题是该角色可能没有为其定义所需的 KMS 操作。
AWS docs for defining KMS access to roles 描述了使用对 KMS 密钥的 kms:Encrypt 操作定义 IAM 角色。如果 IAM 角色尚未定义这些操作,您将在尝试访问 KMS 密钥的授权之前被阻止。
从文档中复制,这样的策略需要在您的 KeyUser 角色中:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"kms:Encrypt",
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:eu-north-1:1234567890:key/99999999-9999-9999-9999-999999999999"
]
}
}
我犯了一个愚蠢的错误,将错误的 grantee-principal 标志传递给 create-grant 操作。更换后
awn:aws:iam:::1234567890/role/keyuser-role
和
arn:aws:iam::1234567890:role/keyuser-role
一切如预期。
幸运的是 AWS forum 中的一位用户指出了错误。
我在 KMS 中有一个加密密钥和两个角色:一个 KeyAdmin 角色应该被允许创建对 KeyUser 的授权然后应该能够 encrypt/decrypt 使用密钥的角色。
这是我正在做的事情:
$ aws kms create-key
{
"KeyMetadata": {
"AWSAccountId": "1234567890",
"KeyId": "99999999-9999-9999-9999-999999999999",
"Arn": "arn:aws:kms:eu-north-1:1234567890:key/99999999-9999-9999-9999-999999999999",
"CreationDate": 1583827994.922,
"Enabled": true,
"Description": "",
"KeyUsage": "ENCRYPT_DECRYPT",
"KeyState": "Enabled",
"Origin": "AWS_KMS",
"KeyManager": "CUSTOMER",
"CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
"EncryptionAlgorithms": [
"SYMMETRIC_DEFAULT"
]
}
}
$ cat /tmp/kp.json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "KeyAdmin",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::1234567890:role/keyadmin-role"
},
"Action": "kms:CreateGrant",
"Resource": "*"
},
{
"Sid": "KMS account admin access",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::1234567890:root"
},
"Action": "kms:*",
"Resource": "*"
}
]
}
$ aws kms put-key-policy --key-id 99999999-9999-9999-9999-999999999999 --policy-name default --policy file:///tmp/kp.json
$ aws --profile keyadmin-role kms create-grant --key-id 99999999-9999-9999-9999-999999999999 --grantee-principal awn:aws:iam:::1234567890/role/keyuser-role --operations Encrypt Decrypt
{
"GrantToken": "AQpANGJiNDRhMjVhNGRmNjY0MDBjYTU2YWNlOTkyNWVjNDBkNmFlMDA1Nzc2MmEzMjFkZjk1N2Q2ODc1NzU2ZDYxMiKpAgEBAgB4S7RKJaTfZkAMpWrOmSXsQNauAFd2KjId-VfWh1dW1hIAAAEAMIH9BgkqhkiG9w0BBwagge8wgewCAQAwgeYGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQML6vpVnNolKHIUz9eAgEQgIG4WcppsyTfo4BBKLvV02Wz1K6LlxpNXhhEZVFlCnTzO3Lsat5LBwtlCilPxpcW5N7f8ucjfi_AiH5VYM50_nNqGF1rH5GgzZoDXn76salNvzxF9YoPP3iWiH-NQ7O695kv0svhdONpfrk8nNCBvOeQbQDj9sLCUGbOI3Di51YKKzb9TZd_hwRxWcniAnYphqQkpyYIKttwHmsftZaODzEM64Rj_hU1_bexRwzPW8E75wnjrS_vNNXCHCog5DA2gg4zsbNyECk3qsGQk8yESJzwsKT_lP6Cf8nqrps",
"GrantId": "e43036820e33b1b372102937aac19093cc84489cf0b0a4ff94fe827fc9eaae9b"
}
$ aws kms list-grants --key-id 99999999-9999-9999-9999-999999999999
{
"Grants": [
{
"KeyId": "arn:aws:kms:eu-north-1:1234567890:key/99999999-9999-9999-9999-999999999999",
"GrantId": "e43036820e33b1b372102937aac19093cc84489cf0b0a4ff94fe827fc9eaae9b",
"Name": "",
"CreationDate": 1583828859.0,
"GranteePrincipal": "awn:aws:iam:::1234567890/role/keyuser-role",
"IssuingAccount": "arn:aws:iam::1234567890:root",
"Operations": [
"Decrypt",
"Encrypt"
]
}
]
}
$ aws --profile keyuser-role kms encrypt --key-id 99999999-9999-9999-9999-999999999999 --plaintext "foo"
An error occurred (AccessDeniedException) when calling the Encrypt operation: User: arn:aws:sts::1234567890:assumed-role/keyuser-role/botocore-session-1583827952 is not authorized to perform: kms:Encrypt on resource: arn:aws:kms:eu-north-1:1234567890:key/99999999-9999-9999-9999-999999999999
$ aws --profile keyuser-role kms encrypt --key-id 99999999-9999-9999-9999-999999999999 --plaintext "foo" --grant-tokens "AQpANGJiNDRhMjVhNGRmNjY0MDBjYTU2YWNlOTkyNWVjNDBkNmFlMDA1Nzc2MmEzMjFkZjk1N2Q2ODc1NzU2ZDYxMiKpAgEBAgB4S7RKJaTfZkAMpWrOmSXsQNauAFd2KjId-VfWh1dW1hIAAAEAMIH9BgkqhkiG9w0BBwagge8wgewCAQAwgeYGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQML6vpVnNolKHIUz9eAgEQgIG4WcppsyTfo4BBKLvV02Wz1K6LlxpNXhhEZVFlCnTzO3Lsat5LBwtlCilPxpcW5N7f8ucjfi_AiH5VYM50_nNqGF1rH5GgzZoDXn76salNvzxF9YoPP3iWiH-NQ7O695kv0svhdONpfrk8nNCBvOeQbQDj9sLCUGbOI3Di51YKKzb9TZd_hwRxWcniAnYphqQkpyYIKttwHmsftZaODzEM64Rj_hU1_bexRwzPW8E75wnjrS_vNNXCHCog5DA2gg4zsbNyECk3qsGQk8yESJzwsKT_lP6Cf8nqrps"
An error occurred (AccessDeniedException) when calling the Encrypt operation: User: arn:aws:sts::1234567890:assumed-role/keyuser-role/botocore-session-1583827952 is not authorized to perform: kms:Encrypt on resource: arn:aws:kms:eu-north-1:1234567890:key/99999999-9999-9999-9999-999999999999
$ aws --profile keyuser-role sts get-caller-identity
{
"UserId": "AROA2AD3X6CJC6MODMUZP:botocore-session-1583827952",
"Account": "1234567890",
"Arn": "arn:aws:sts::1234567890:assumed-role/keyuser-role/botocore-session-1583827952"
}
为什么持有授权的角色无法访问密钥?
更新角色没有附加任何 IAM 策略。
如果没有看到为 KeyUser 角色定义的策略,则很难确定,但我相信您的问题是该角色可能没有为其定义所需的 KMS 操作。
AWS docs for defining KMS access to roles 描述了使用对 KMS 密钥的 kms:Encrypt 操作定义 IAM 角色。如果 IAM 角色尚未定义这些操作,您将在尝试访问 KMS 密钥的授权之前被阻止。
从文档中复制,这样的策略需要在您的 KeyUser 角色中:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"kms:Encrypt",
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:eu-north-1:1234567890:key/99999999-9999-9999-9999-999999999999"
]
}
}
我犯了一个愚蠢的错误,将错误的 grantee-principal 标志传递给 create-grant 操作。更换后
awn:aws:iam:::1234567890/role/keyuser-role
和
arn:aws:iam::1234567890:role/keyuser-role
一切如预期。
幸运的是 AWS forum 中的一位用户指出了错误。