使用别名访问KMS加密桶
使用别名访问KMS加密桶
提问于 2021-05-26 08:44:17
假设我有一个使用KMS密钥加密的存储桶,KMS密钥策略如下所示
{
"Effect" : "Allow",
"Principal" : {
"AWS" : "arn:aws:iam:::my_role_here"
},
"Action" : [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource" : "arn:aws:kms:::long_kms_id",
"Condition": {
"StringLike": {
"kms:RequestAlias": "alias/my_kms_alias"
}
}
}我的IAM角色的策略是
{
"Sid": "AllowUseOfKmsKey",
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:ReEncrypt*"
],
"Resource": "*",
"Condition": {
"StringLike": {
"kms:RequestAlias": "alias/my_kms_alias"
}
}
}然而,当我执行PUT操作时,我得到了一个访问被拒绝的消息:An error occurred (AccessDenied) when calling the PutObject operation: Access Denied。但是,如果我删除了IAM角色策略上的Condition,则可以执行此操作。
我一直在关注这个doc,但似乎什么都不起作用,或者解释得很清楚。如果我为其提供了KMS别名,如何确保要访问S3存储桶的角色能够访问该存储桶?
回答 1
Stack Overflow用户
发布于 2021-05-26 22:02:48
正如@Marcin指出的,你不需要在关键策略和角色策略上都有它。
如果您想要将此密钥用于另一个帐户,则最好将策略设置为打开密钥。
正如您提供的文档所解释的那样,当您使用kms:RequestAlias时,请求用户需要显式地使用别名。
请参见下面的示例。我的关键策略允许我的帐户中的所有内容。
{
"Version": "2012-10-17",
"Id": "key-default-1",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123412341234:root"
},
"Action": "kms:*",
"Resource": "*"
}
]
}但是我的角色没有任何allow语句来使用这个键,所以它将失败。
$ aws s3api put-object --bucket mybucket --key key1 --body ./test.txt --ssekms-key-id arn:aws:kms:us-east-1:123412341234:key/66053e20-c9e6-4df9-901a-c6aed5e51ea5 --server-side-encryption "aws:kms" --region us-east-1
An error occurred (AccessDenied) when calling the PutObject operation: Access Denied我将下面的策略添加到我的角色中。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*",
"Condition": {
"StringLike": {
"kms:RequestAlias": "alias/test-leo"
}
}
}
]
}现在我将强制使用我的密钥(而不是别名)。它也会失败,因为我使用的不是别名,而是Key。
$ aws s3api put-object --bucket mybucket --key key2 --body ./test.txt --ssekms-key-id arn:aws:kms:us-east-1:123412341234:key/66053e20-c9e6-4df9-901a-c6aed5e51ea5 --server-side-encryption "aws:kms" --region us-east-1
An error occurred (AccessDenied) when calling the PutObject operation: Access Denied查看CloudTrail时,您将看到如下所示的错误跟踪:
"eventTime": "2021-05-26T13:42:24Z",
"eventSource": "kms.amazonaws.com",
"eventName": "GenerateDataKey",
"awsRegion": "us-east-1",
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"errorCode": "AccessDenied",
"errorMessage": "User: arn:aws:sts::123412341234:assumed-role/myrole/i-12adc5581f1a9b9dd is not authorized to perform: kms:GenerateDataKey on resource: arn:aws:kms:us-east-1:123412341234:key/66053e20-c9e6-4df9-901a-c6aed5e51ea5",现在我将强制使用我的Key Alias (不是key ARN)。它之所以有效,是因为我在命令上使用了密钥别名ARN。
$ aws s3api put-object --bucket mybucket --key key3 --body ./test.txt --ssekms-key-id arn:aws:kms:us-east-1:123412341234:alias/test-leo --server-side-encryption "aws:kms" --region us-east-1
{
"SSEKMSKeyId": "arn:aws:kms:us-east-1:123412341234:key/66053e20-c9e6-4df9-901a-c6aed5e51ea5",
"ETag": "\"ab544583c58d325231bb7b11e8472a1b\"",
"ServerSideEncryption": "aws:kms"
}页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/67697212
复制相关文章
相似问题
腾讯云开发者
