- Mais recentes
- Mais votos
- Mais comentários
Hello Guillaume,
You forgot to censor your account id in the errormessage.
Looking at the arn inside your errormessage and the arn inside your kms-key-policy => they are different.
Can you try to add that arn you get in the errormessage into the kms key policy and try again?
Thanks in advance
Heiko
Hello,
Thank you for your answer. I didn't censor the account id because it is not mine, it is probably something on AWS side used by CloudFront
Sometimes I have another error (without changing anything).
<Error> <Code>AccessDenied</Code> <Message> User: arn:aws:sts::856369053181:assumed-role/OriginAccessControlRole/OriginAccessSession is not authorized to perform: kms:Decrypt on the resource associated with this ciphertext because the resource does not exist in this Region, no resource-based policies allow access, or a resource-based policy explicitly denies access </Message> <RequestId>41NJFKHDCCXWS3EJ</RequestId> <HostId> nPA10pJGuaKdquJ3iGLsGdwCjBFw7LN8ylbSG8KN6iPFO1YzLPIXgt++Jqn61UUlsrP58uZn7PY= </HostId> </Error>
Still not my account.
Hello Heiko, I'm having the same issue and tried adding an AWS principal with the ARN of the blocked sts session but it still does not solve the problem.
Guillaume did you ever figure it out?
I have tried to do the same thing but using the account where the key is and I have the same problem so I probably forget something but I don't know what
Maybe I can share my terraform code
My terraform code is available here https://github.com/guillomep/tf-static-website/
Conteúdo relevante
- AWS OFICIALAtualizada há um ano
- AWS OFICIALAtualizada há 10 meses
- AWS OFICIALAtualizada há 2 anos
Is it possible to post your full KMS key policy?
I don't see your full KMS key policy in the Terraform code you linked here -- https://github.com/guillomep/tf-static-website/ -- but have you tried granting Cloudfront service principal (i.e., cloudfront.amazonaws.com) permission to call kms:Decrypt within the IAM policy? It's also possible that you removed default key policy which basically "delegates" permission to IAM (see https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#key-policy-default-allow-root-enable-iam).