3 réponses
- Le plus récent
- Le plus de votes
- La plupart des commentaires
0
Hi Gary, thanks for the quick answer.
I have this policy in my KMS key
{
"Version": "2012-10-17",
"Id": "some-id",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::arn:aws:iam::222222222:role/my-super-role"
},
"Action": [
"kms:Decrypt",
"kms:DescribeKey"
],
"Resource": "*"
}
]
}
along many others statements that come by default when you create a new key. could it be that the problem?
répondu il y a 10 mois
0
Try updating the resource policy’s in account 111111111 to use this principle arn:aws:sts::222222222:assumed-role/my-super-role/I-xxxxxxxxxxx
On KMS and Secret policy
Instead of the iam principal
But wouldn't be a problem if another instance assumes the role? Unless I use
arn:aws:sts::222222222:assumed-role/my-super-role/i-*
0
I don’t see a resource policy for the KMS key in account 1111111111 to allow the role from account 2222222222 to decrypt. Step 2 from your link.
Could this be the reason?
Contenus pertinents
- Réponse acceptéedemandé il y a un an
- demandé il y a un an
- demandé il y a 2 mois
- AWS OFFICIELA mis à jour il y a 9 mois
- AWS OFFICIELA mis à jour il y a 2 ans
- AWS OFFICIELA mis à jour il y a 2 ans
I think I see the issue now. Silly me. You assuming a role.
Created new answer.