- Newest
- Most votes
- Most comments
Hi! Lightsail uses a service-linked role in IAM which means that it is the service itself which has access to KMS to do what is needed for operating Lightsail. You can read more about that here https://lightsail.aws.amazon.com/ls/docs/en_us/articles/amazon-lightsail-using-service-linked-roles
Hope this helps!
I am not the one asking the question, but I am simply curious.
In the Lightsail documentation that Bent_T referred me to, it appears that service-linked role do not have permission to access KMS.
It also states that service-linked role cannot be edited.
If this is the case, is it still possible to access KMS with service-linked role?
Incidentally, one method I have found for accessing other AWS services from Lightsail is to use the credentials of an IAM user. [1]
[1] amazon web services - Can I access AWS Parameter store from Lightsail instance?
https://stackoverflow.com/questions/71818943/can-i-access-aws-parameter-store-from-lightsail-instance
The answer of service linked role provided was not helpful. What we did was create a IAM service account, provided IAM permissions for KMS. Then used API keys to encrypt/decrypt within my application hosted in Lightsail.
Relevant content
- asked 2 months ago
AWS OFFICIALUpdated a year ago- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated 2 years ago
Please clarify how you would like to access the KMS.
Are you a developer using an IAM user who wants to access KMS?
Or is it an application in Lightsail?