By using AWS re:Post, you agree to the Terms of Use
/How to delegate KMS key creation to an IAM account/

How to delegate KMS key creation to an IAM account

0

Good morning everyone,

It's my first question there, so please be indulgent with me ;o)

I would like to delegate the KMS key creation and use to an IAM user. The purpose is to have an IAM account for a customer and so, he could create and manage his own key. Is it possible? Do you have some documentation or links to help me?

Until now, I created an IAM account but when I try to create a key with it, I get 2 errors message AccessDenied - User: arn:aws:iam::444444444444:user/MATMUT_KMS_Manager is not authorized to perform: iam:ListUsers on resource: arn:aws:iam::444444444444:user/ because no identity-based policy allows the iam:ListUsers action

AccessDenied - User: arn:aws:iam::444444444444:user/MATMUT_KMS_Manager is not authorized to perform: iam:ListRoles on resource: arn:aws:iam::444444444444:role/ because no identity-based policy allows the iam:ListRoles action

Thanks for your help. Best Regards, Mike

1 Answers
0
Accepted Answer

It sounds like you might need to add a few more actions to your IAM user policy. To fix those issues specifically, it will need to include the following in addition to the KMS actions:

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": [
      "iam:ListRoles",
      "iam:ListUsers"
    ],
    "Resource": "*"
  }
}

There are some more examples here of policies that allow various KMS actions: https://docs.aws.amazon.com/kms/latest/developerguide/customer-managed-policies.html

answered 20 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions