3 Answers
- Newest
- Most votes
- Most comments
0
Hi Gary, thanks for the quick answer.
I have this policy in my KMS key
{
"Version": "2012-10-17",
"Id": "some-id",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::arn:aws:iam::222222222:role/my-super-role"
},
"Action": [
"kms:Decrypt",
"kms:DescribeKey"
],
"Resource": "*"
}
]
}
along many others statements that come by default when you create a new key. could it be that the problem?
answered 9 months ago
0
Try updating the resource policy’s in account 111111111 to use this principle arn:aws:sts::222222222:assumed-role/my-super-role/I-xxxxxxxxxxx
On KMS and Secret policy
Instead of the iam principal
But wouldn't be a problem if another instance assumes the role? Unless I use
arn:aws:sts::222222222:assumed-role/my-super-role/i-*
0
I don’t see a resource policy for the KMS key in account 1111111111 to allow the role from account 2222222222 to decrypt. Step 2 from your link.
Could this be the reason?
Relevant content
- asked 3 years ago
- Accepted Answerasked 2 years ago
- Accepted Answerasked 10 months ago
- AWS OFFICIALUpdated 9 months ago
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated 2 years ago
I think I see the issue now. Silly me. You assuming a role.
Created new answer.