The specified KMS key [null] either doesn't exist...

Question

I am attempting to create an RDS database using a customer managed KMS key through cloudformation.  The key is enabled.

When the cloudformation is executed, I get the following error:
```
The specified KMS key [null] either doesn't exist, isn't enabled, or isn't accessible by the current user. Either specify a different key or access the key with a different user. (Service: Rds, Status Code: 400, Request ID: XXXX)" (RequestToken: XXXX, HandlerErrorCode: InvalidRequest)
```

Here is the relevant cloudformation I am using to specify the customer managed key to be used:
```
 RDSInstance:
    Type: AWS::RDS::DBInstance
    Properties: 
      KmsKeyId: !Ref RDSEncryptionKmsKey
      StorageEncrypted: true
```

I can successfully create an RDS instance through the AWS console using this key without assigning any role to the instance or giving it any special IAM permissions, so this appears to be a cloudformation only issue.

I had already given the cloudformation role kms:* permissions to ensure it was not a permissions issue.  The specific error returned by CloudTrail was 'KMSKeyNotAccessibleFault'.

Here's the really strange part, and I'm not sure if this is a bug in AWS or not.
This IAM permission for the cloudformation role  works and results in the database being created:
```
Action:
              - 'kms:DescribeKey'
              - 'kms:CreateGrant'
            Resource:
              - '*'
```
This IAM permission for the cloudformation role does not work, and results in 'KMSKeyNotAccessibleFault':
```
Action:
              - 'kms:DescribeKey'
              - 'kms:CreateGrant'
            Resource:
              - !Sub 'arn:aws:kms:*:${AWS::AccountId}:key/mrk-XXX'
```

I know the correct key is being used though, because if I just use the '*' in the resource section, it creates the database with the proper KMS key (the one referenced in the second example), but if I specify the actual key Arn in the resource block, it fails with the KMSKeyNotAccessibleFault.

Accepted Answer

The solution here was not obvious from the error messages in CloudTrail or CloudFormation.  The hint was that adding '*' to resources for the KMS permissions caused it to work properly.  When looking through the CloudTrail logs I found a failed DescribeKey entry for an unknown KMS key ID.  I looked through the KMS console until I found the key and it was the key for aws/secretsmanager.

Apparently, if you select the option `ManageMasterUserPassword: true` then you not only need to add IAM permissions for `secretsmanager:CreateSecret` but you also need to add KMS permissions for `kms:DescribeKey` on the aws/secretsmanager KMS key ID arn.

Answer

Hi  
  
It looks like that although the KMS ARN is valid CloudFormation can not access it.  
When you create RDS in the console RDS directly there are two pieces, First your permission to see they key to select it, and then RDS to call the key and use it.  
When you do it via CloudFormation this is not always the case and it appears that CloudFormation is unable to list the key and/or create a grant.  
  
The best thing would be to check CloudTrail for the IAM principle that is being used to see if there are any error statements.  
It is probably that you need to grant CloudFormation access to ListKeys and CreateGrant on the KMS key but CloudTrail will tell you more.

The specified KMS key [null] either doesn't exist...

Relevant content