I am trying to setup minimal permissions for doing aws rds copy-db-snapshot
with a KMS encryption key:
aws rds copy-db-snapshot --source-db-snapshot-identifier rds-backup-share-mysql --target-db-snapshot-identifier rds-backup-share-mysql-reencrypted --kms-key-id <kms-arn>
(Everything within <> is stripped out by me and contains valid values.)
Unfortunately I get this error:
An error occurred (KMSKeyNotAccessibleFault) when calling the CopyDBSnapshot operation: The target snapshot KMS key [<kms-arn>] does not exist, is not enabled or you do not have permissions to access it.
Currently I allow these actions:
"Action": [
"kms:ReEncrypt*",
"kms:ListKeys",
"kms:ListAliases",
"kms:GenerateDataKey*",
"kms:Encrypt",
"kms:DescribeKey",
"kms:Decrypt"
],
It works if I replace it with "kms:*{code}", so it must be a permission issue.
I tried to figure out the correct permissions with CloudTrail, but it just contains the same unhelpful error message.
So my actual questions:
- What are the minimal KMS permissions for CopyDBSnapshot?
- Is there a generic way to figure out the required permissions? It is always a pain to waste my time by googling the required permissions.