Hi Team,
we are actually trying to share form one our aws account (ACC1) IAM user (juenwei) a customer managed kms key with name (keygenerated-26-10) to the account (ACC2) IAM user (juenwei-dr), both account are part of same organization.
here are the key- policy from juenwei account,
{
"Version": "2012-10-17",
"Id": "key-consolepolicy-3",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::ACC1-ID:root",
"arn:aws:iam::ACC1-ID:user/juenwei"
]
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACC1-ID:user/juenwei"
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::ACC2-ID:root",
"arn:aws:iam::ACC2-ID:user/juenwei-dr"
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::ACC2-ID:root",
"arn:aws:iam::ACC2-ID:user/juenwei-dr"
]
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
]
}
we have allowed to both root and juenwei-dr user with the access of key.
also in juenwei-dr account we have attached a permission to access this kms key from source account
here the policy attached,
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowUseOfTheKey",
"Effect": "Allow",
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": [
"arn:aws:kms:ap-southeast-1:ACC1-ID:key/4015d80b-24eb-4be6-b856-83054097c95c"
]
},
{
"Sid": "AllowAttachmentOfPersistentResources",
"Effect": "Allow",
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": [
"arn:aws:kms:ap-southeast-1:ACC1-ID:key/4015d80b-24eb-4be6-b856-83054097c95c"
],
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": true
}
}
}
]
}
even after adding this permissions we are still not able to see the shared key in juenwei-dr acount.
requesting you to please look into this isssue, any kind of help or resolution is really appriciated.
This document is older one, options has been change in New UI
Seems like, shared key will not be visible in Destination accounts KMS section, we can only use it by its ARN
Hi, yes, console views usually display only corresponding resources of the account, not cross-account resources. It is same thing for example with S3, etc. So, yes, you must know the ARN of the resource shared with you. Best, Didier