1 回答
- 最新
- 投票最多
- 评论最多
0
I believe the primary problem with the key policy above is the key context that you are specifying. The key context used by AWS Secrets Manager to specify the specific secret is kms:EncryptionContext:SecretARN, as described here -> https://docs.aws.amazon.com/secretsmanager/latest/userguide/security-encryption.html#security-encryption-encryption-context. Use extreme caution when updating the key policies so they don't become unmanageable -> https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html. Make sure you have a statement for key administration, in addition to, the key user policy that you are customizing. The policy statement for Amazon MSK should look something like this:
{
"Sid": "AllowUseOfTheKeyForSecretsManager",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<YourAccount>:role/<MSKRoleName>"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*",
"Condition": {
"StringLike": {
"kms:EncryptionContext:SecretARN": "arn:aws:secretsmanager:<YourRegion>:<YourAccount>:secret:AmazonMSK_*"
}
}
}
已回答 1 年前
相关内容
- AWS 官方已更新 2 年前
- AWS 官方已更新 3 年前
- AWS 官方已更新 2 年前
That one works. Thanks!