How to delegate KMS key creation to an IAM account

Question

Good morning everyone,

It's my first question there, so please be indulgent with me ;o)

I would like to delegate the KMS key creation  and use to an IAM user.
The purpose is to have an IAM account for a customer and so, he could create and manage his own key.
Is it possible?
Do you have some documentation or links to help me?

Until now, I created an IAM account but when I try to create a key with it, I get 2 errors message 
AccessDenied - User: arn:aws:iam::444444444444:user/MATMUT_KMS_Manager is not authorized to perform: iam:ListUsers on resource: arn:aws:iam::444444444444:user/ because no identity-based policy allows the iam:ListUsers action

AccessDenied - User: arn:aws:iam::444444444444:user/MATMUT_KMS_Manager is not authorized to perform: iam:ListRoles on resource: arn:aws:iam::444444444444:role/ because no identity-based policy allows the iam:ListRoles action

Thanks for your help.
Best Regards,
Mike

Accepted Answer

It sounds like you might need to add a few more actions to your IAM user policy. To fix those issues specifically, it will need to include the following in addition to the KMS actions:
```
{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": [
      "iam:ListRoles",
      "iam:ListUsers"
    ],
    "Resource": "*"
  }
}
```
There are some more examples here of policies that allow various KMS actions: https://docs.aws.amazon.com/kms/latest/developerguide/customer-managed-policies.html

How to delegate KMS key creation to an IAM account

관련 콘텐츠