Looking for a KMS key policy that satisfies the following requirement. The role that a user/program assumes to create a KMS key is specified in the key's policy as the only role/user which being assumed may access the key in the future.
If such policy is possible, then what it is? If not, then which specific feature of KMS doesn't allow it?
The approach described below has been unsuccessful.
Through the AWS console in account 444444444444, I can create a KMS key with a policy (see below).
KMSCreateCustomerKeyRole in account 444444444444 is a cross-account role for account 3333333333333. In the latter there is encryption_key_manager user in a user group that can assume KMSCreateCustomerKeyRole.
Logging into AWS console as a encryption_key_manager user and assuming KMSCreateCustomerKeyRole, a key with the same policy also gets created successfully.
{
"Version": "2012-10-17",
"Id": "key-default-1",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::444444444444:root"
},
"Action": "kms: *",
"Resource": "*"
},
{
"Sid": "Deny for everyone except the specified role and user",
"Effect": "Deny",
"NotPrincipal": {
"AWS": [
"arn:aws:iam::444444444444:root",
"arn:aws:sts::444444444444:assumed-role/KMSCreateCustomerKeyRole/ encryption_key_manager",
"arn:aws:iam::444444444444:role/KMSCreateCustomerKeyRole"
]
},
"Action": "kms: *",
"Resource": "*"
}
]
}
So far, it works in the sense that other users/role can't access the key through the console.
However, key creation should be done programmatically, so to test this policy I try to create a key via cli. CLI uses the KMSCreateCustomerKeyRole profile, which points to the default encryption_key_manager profile with aws credentials file as
[default]
role_arn = arn:aws:iam::444444444444:role/KMSCreateCustomerKeyRole source_profile = encryption_key_manager
[encryption_key_manager]
aws_access_key_id = .....
get-caller-identity returns
{
"UserId": "AAAAAAAAAAAAAAA:botocore-session-1640070193",
"Account": "444444444444",
"Arn": "arn:aws:sts::444444444444: assumed-role/KMSCreateCustomerKeyRole/botocore-session-1640070193"
}
Key generation request
aws kms create-key --description another_key --policy file: //policy.json --region us-east-2
results in an error occurred (MalformedPolicyDocumentException) when calling the CreateKey operation: The new key policy will not allow you to update the key policy in the future.
Same error is produced for encryption_key_manager profile
aws kms create-key --description another_key --policy file: //policy.json --profile encryption_key_manager --region us-east-2
I thought that this may happen because while using command line we pass to AMS KMS an ARN with session-id, and KMS can't match this ARN to any of ARN in the array for NotPrincipal in Deny part of the policy. I have added the ARN with session id (arn:aws:sts::444444444444: assumed-role/ KMSCreateCustomerKeyRole/botocore-session-1640070193) to the ARN's array, but the error stays the same.
AWS OFFICIALUpdated a year ago
This doesn't work. I am using role to access KMS key and have given role access to key policy but still with role I can't even describe key.