By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How to delegate KMS key creation to an IAM account

0

Good morning everyone,

It's my first question there, so please be indulgent with me ;o)

I would like to delegate the KMS key creation and use to an IAM user. The purpose is to have an IAM account for a customer and so, he could create and manage his own key. Is it possible? Do you have some documentation or links to help me?

Until now, I created an IAM account but when I try to create a key with it, I get 2 errors message AccessDenied - User: arn:aws:iam::444444444444:user/MATMUT_KMS_Manager is not authorized to perform: iam:ListUsers on resource: arn:aws:iam::444444444444:user/ because no identity-based policy allows the iam:ListUsers action

AccessDenied - User: arn:aws:iam::444444444444:user/MATMUT_KMS_Manager is not authorized to perform: iam:ListRoles on resource: arn:aws:iam::444444444444:role/ because no identity-based policy allows the iam:ListRoles action

Thanks for your help. Best Regards, Mike

Topics
Security, Identity, & Compliance
Tags
AWS Key Management ServiceIAM Policies
Language
English
rePost-User-1841888
asked 2 years ago354 views
1 Answer
0
Accepted Answer

It sounds like you might need to add a few more actions to your IAM user policy. To fix those issues specifically, it will need to include the following in addition to the KMS actions:

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": [
      "iam:ListRoles",
      "iam:ListUsers"
    ],
    "Resource": "*"
  }
}

There are some more examples here of policies that allow various KMS actions: https://docs.aws.amazon.com/kms/latest/developerguide/customer-managed-policies.html

Ed
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content