Whether you're taking your first steps with Kubernetes or you're an experienced practitioner looking to sharpen your skills, our Amazon EKS workshop series delivers practical, real-world experience that moves you forward. Learn directly from AWS solutions architects and EKS specialists through hands-on sessions designed to build your confidence with Kubernetes. Register now and start building with Amazon EKS!
KMS Customer Managed Key with cross-account service role permissions
Hello,
I am working with customer on a workload that required KMS key encryption using customer managed key/material. In customer environment, the Key is created in central security account and is shared with the account running the workload (using share with external account option). Within the workload, we need to bring up new instances using auto-scaling with KMS key encryption for attached EBS volumes. We noticed that to get auto-scaling working we need to add service role for auto-scaling as a key user in KMS key and this is working fine within an account (in my environment). But in customer environment, we are unable to add these service roles (for the workload account) in KMS key policy from central security account. It gives an error - "invalid principal". Do you know if this is a limitation for KMS CMK cross account access or what is the right way to enable service role permissions for external (workload) account in KMS key policy?
Thanks!
- Language
- English
- Newest
- Most votes
- Most comments
Cross account KMS keys used to encrypt snapshots is supported in an ASG, but the key policy has to be setup slightly differently, and the account with the ASG in it needs to call the create-grant CLI command after the key policy is setup. Detailed instructions can be found here:
Relevant content
- asked 7 months ago
