Administrator user does not have access to KMS which created before

Question

TL;DR: A new devops want to use the current EKS which encrypted using KMS, the IAM have administrator access which copied from the old devops guy.

I've joined a new company which have eks cluster, to work the cluster I need to add my self to configMap of auth-users, so I've tried to use the original terraform which used to create the cluster, but got error:

```
Error: reading KMS Key (c09fb55c-efe7-4f72-ab13-8efea02362a3): reading KMS Key (c09fb55c-efe7-4f72-ab13-8efea02362a3): AccessDeniedException: User: arn:aws:iam::000000000:user/my-name@company.com is not authorized to perform: kms:DescribeKey on resource: arn:aws:kms:us-east-1:000000000:key/c09fb55c-efe7-4f72-ab13-8efea02362a3 because no resource-based policy allows the kms:DescribeKey action
│       status code: 400, request id: da88a001-4835-41ff-a416-0e92307153b8
│ 
│   with module.eks.module.eks.module.kms.aws_kms_key.this[0],
│   on .terraform/modules/eks.eks.kms/main.tf line 8, in resource "aws_kms_key" "this":
│    8: resource "aws_kms_key" "this" {
│ 
```

I've tried to add to attach a policy which allow my user to access KMS:*, but still got error.
Using AWS permission simulator I have access to all KMS resources.
What can I do else to access the cluster/KMS as administrator?

Praveen Muppala · Accepted Answer

The issue you're facing is related to the Key Policy attached to the KMS key used for encrypting the EKS cluster resources. The Key Policy determines which IAM principals (users, roles, or accounts) have access to the KMS key and what operations they can perform.

Even though you have an IAM user with administrator access, the Key Policy on the specific KMS key might not grant the necessary permissions to your IAM user. This is a common security practice to restrict access to sensitive resources like KMS keys, even for administrators.

Here are a few steps you can take to resolve this issue:

1. **Identify the KMS Key Policy**: First, you need to identify the Key Policy attached to the KMS key in question. You can do this by navigating to the AWS KMS console, selecting the KMS key, and reviewing the "Key Policy" section.

2. **Update the Key Policy**: If the Key Policy does not include a statement granting your IAM user the necessary permissions (e.g., `kms:DescribeKey`, `kms:Encrypt`, `kms:Decrypt`), you'll need to update the Key Policy to grant those permissions.

You can update the Key Policy by clicking on the "Key Policy" section in the KMS console, and then clicking "Edit". Add a statement granting your IAM user the required permissions. Here's an example statement:

```json
   {
     "Sid": "Allow access for my-name@company.com",
     "Effect": "Allow",
     "Principal": {
       "AWS": "arn:aws:iam::000000000:user/my-name@company.com"
     },
     "Action": [
       "kms:DescribeKey",
       "kms:Encrypt",
       "kms:Decrypt"
     ],
     "Resource": "*"
   }
   ```

Replace `my-name@company.com` with your IAM user name, and `000000000` with your AWS account ID.

3. **Request Access**: If you don't have the necessary permissions to update the Key Policy yourself, you'll need to request access from the appropriate team or individual responsible for managing the KMS key.

4. **Use an IAM Role with Proper Permissions**: Alternatively, instead of using your IAM user, you could create an IAM role with the necessary permissions to access the KMS key and use that role when running Terraform or interacting with the EKS cluster.

By following these steps, you should be able to grant your IAM user (or an IAM role) the necessary permissions to access the KMS key used for encrypting the EKS cluster resources, allowing you to work with the cluster and run Terraform without encountering the `AccessDeniedException`.

See the [KMS Key Policies}(https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html) for more information

Administrator user does not have access to KMS which created before

Relevant content