- Newest
- Most votes
- Most comments
The error message you're receiving indicates that the IAM user 'user_id' doesn't have the necessary permissions to perform the 'kms:GenerateDataKey' action on the specified KMS key. This permission is required to generate a data key that will be used to encrypt/decrypt data on AWS.
To resolve this issue, you need to modify the IAM policy attached to 'user_id' to include the 'kms:GenerateDataKey' action. Here are the steps to do it:
-
Sign in to the AWS Management Console, then navigate to the IAM (Identity & Access Management) service.
-
Select 'Users' from the sidebar and find the user 'user_id' in the list.
-
Select 'Add permissions' from the user details page.
-
Choose 'Attach existing policies directly'. You will be given a list of existing policies.
-
Create a new policy if there's no policy available that includes the 'kms:GenerateDataKey' action. To do this, select 'Create policy', then 'JSON'. Paste the following policy into the JSON text box (be sure to replace 'your-key-id' with the id of your actual key):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowUseOfKMSKey",
"Effect": "Allow",
"Action": [
"kms:GenerateDataKey"
],
"Resource": "arn:aws:kms:us-east-1:XXXX_ID:key/your-key-id"
}
]
}
-
Name and describe your policy, then click 'Create policy'.
-
Return to the 'Add permissions' page for your user and refresh the policy list.
-
Find your newly created policy in the list and select the check box next to it.
-
Click 'Review' and 'Add permissions' to apply the policy to your user.
These steps should resolve your issue. If the error persists, make sure that there are no other policies that might explicitly deny the 'kms:GenerateDataKey' action.
Relevant content
- asked a year ago
- Accepted Answerasked 7 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago