Unable to access customer-managed keys on Key Management Service

We can't view our customer-managed keys even from the root account, and these key policies need to be edited. We kept getting errors: The user is not authorised to perform "kms:DescribeKey".

After adding "kms:DescribeKey" permission to the resource, the error still persists.

How can we solve this, please?

Topics

Security, Identity, & Compliance Management & Governance

Tags

AWS Key Management Service AWS Identity and Access Management AWS Account Management IAM Policies

Language

English

kunmi

asked 3 months ago182 views

1 Answer

Newest
Most votes
Most comments

Are these answers helpful? Upvote the correct answer to help the community benefit from your knowledge.

Hello.

If you are unable to access the KMS key no matter which user you use, you will need to open a case with AWS Support under "Account and billing" and have them take action.
https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html

For example, suppose you create a key policy that gives only one user access to the KMS key. If you then delete that user, the key becomes unmanageable and you must contact AWS Support to regain access to the KMS key.

EXPERT

Riku_Kobayashi

answered 3 months ago

kunmi
3 months ago
I created an EKS cluster, and I later deleted the user who created the cluster. After several permission issues, I created a new user with the same name as the one that was deleted initially. Whenever I try to update the eks cluster with the new user iam, i keep getting the following: The user is not authorized to perform: kms:DescribeKey on resource. Even after adding the policy, I still get the same error. So I decided to login through the root account, and I noticed I couldn't even access the customer-managed key for that cluster.

Relevant content

Can't cleanup obsolete Customer managed keys in Key Management Service
Artem
asked 3 months ago
Unable to access shared customer managed key in my another aws account
Accepted Answer
Shriram
asked 6 months ago
secret key and access key
rePost-User-6301439
asked a year ago
KMS key policy to allow access to the key only to the role used to create the key
AWS-User-4814236
asked 2 years ago
How do I resolve the error "The new key policy will not allow you to update the key policy in the future" when I try to create an AWS KMS key using AWS CloudFormation?
AWS OFFICIALUpdated a year ago
Should I use an AWS KMS managed key or a customer managed KMS key to encrypt my objects on Amazon S3?
AWS OFFICIALUpdated 2 years ago
How do I import my keys into AWS Key Management Service?
AWS OFFICIALUpdated 4 months ago
Why am I getting a "Server refused our key" error when I try to connect to my EC2 instance using SSH?
AWS OFFICIALUpdated a year ago
Announcing support for multiple host keys and key types for AWS Transfer Family servers
EXPERT
sagarb-aws
published 2 years ago
Reduce your security risk with AWS Trusted Advisor exposed access keys recommendation
EXPERT
AWS_Manas_S
published a year ago