Allowing access to a KMS key from another account

I am trying to allow the use of my KMS key from 'Account A' in 'Account B', but I seem to be missing a step. Please let me know if you can see what I'm doing wrong.

The context is that I am sharing a DB snapshot, and the snapshot is encrypted using a CMK in Account A

What I have done: Following this document as guidance: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying-external-accounts.html In Account A's KMS, I updated the key policy with the following: { "Sid": "Allow an external account to use this KMS key", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<Account B>:root" }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*" } This key policy does have more, but there are no deny statements in it.

And then in Account B I have created a new IAM policy with the following: 
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowUseOfKeyInAccountA", "Effect": "Allow", "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "arn:aws:kms:<REGION>:<ACCOUNTA>:key/<KEYID>" } ] } I attached this policy to the role I'm currently using and then logged out and back in again to the console. Then I went to the snapshots shared with me and attempted to copy that snapshot that was shared from Account A. When I try to save it off though, I get an error:

The source snapshot KMS key [arn:aws:kms:<REGION>:<ACCOUNTA>:key/<KEYID> matching the CMK ARN and policy above] does not exist, is not enabled or you do not have permissions to access it.

What step did I miss?