KMS Customer Managed Key with cross-account service role permissions
Hello,
I am working with customer on a workload that required KMS key encryption using customer managed key/material. In customer environment, the Key is created in central security account and is shared with the account running the workload (using share with external account option). Within the workload, we need to bring up new instances using auto-scaling with KMS key encryption for attached EBS volumes. We noticed that to get auto-scaling working we need to add service role for auto-scaling as a key user in KMS key and this is working fine within an account (in my environment). But in customer environment, we are unable to add these service roles (for the workload account) in KMS key policy from central security account. It gives an error - "invalid principal". Do you know if this is a limitation for KMS CMK cross account access or what is the right way to enable service role permissions for external (workload) account in KMS key policy?
Thanks!
- Newest
- Most votes
- Most comments
Cross account KMS keys used to encrypt snapshots is supported in an ASG, but the key policy has to be setup slightly differently, and the account with the ASG in it needs to call the create-grant CLI command after the key policy is setup. Detailed instructions can be found here:
Relevant content
- asked 10 months ago
- asked a year ago
- Accepted Answerasked 10 months ago
AWS OFFICIALUpdated a year ago- AWS OFFICIALUpdated 9 months ago
- AWS OFFICIALUpdated a year ago
