小贝子编程

ECS 集群无法使用 KMS 密钥解密"you are not allowed to access"



我继续收到错误:

software.amazon.awssdk.services.kms.model.KmsException: The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access.

尝试解密时。

我创建了一个具有以下权限的任务执行角色: 

"AssumeRolePolicyDocument": {
      "Version": "2008-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "Service": "ecs-tasks.amazonaws.com"
          },
          "Action": "sts:AssumeRole"
        }
      ]
    },
    "ManagedPolicyArns": [
      "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
    ],
    "Policies": [
      {
        "PolicyName": "AllowKmsDecrypt",
        "PolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Action": [
                "kms:Decrypt"
              ],
              "Resource": [
                {"Ref": "PrincipalSourceKeyArn"}
              ]
            }
          ]
        }
      }
    ]

并且任务定义与角色相关联: 

        "ExecutionRoleArn": {"Ref": "TaskExecutionRoleArn"},

嗯。我还能错过什么?

从这些文档中可以看出,IAM 策略是不够的:

IAM 策略本身不足以允许访问 主密钥。但是,您可以将它们与 CMK 的密钥策略结合使用 如果密钥策略启用它。授予 AWS 账户对 主密钥执行此操作;它使您能够使用 IAM 策略为 IAM 提供 账户中的用户和角色对 CMK 的访问权限

我需要更新 KMS KeyPolicy以包括: 

{
          "Sid": "Enable IAM User Permissions",
          "Effect": "Allow",
          "Principal": {
            "AWS": { "Fn::Join" : ["" , ["arn:aws:iam::", {"Ref" : "AWS::AccountId"} ,":root" ]] }
          },
          "Action": "kms:*",
          "Resource": "*"
        }

在此行的情况下 { "Fn::Join" : ["" , ["arn:aws:iam::", {"Ref" : "AWS::AccountId"} ,":root" ]] }您仅允许通过根帐户使用此密钥。

通常,此密钥策略必须为用户提供管理可能性,并且仅为使用此密钥的服务或其他用户提供一些特定操作。所以对我来说,整个设置必须看起来像这样:

KMSKeyEncryption:
    Type: AWS::KMS::Key
    Properties:
      Enabled: true
      EnableKeyRotation: false
      KeyPolicy:
        Version: 2012-10-17
        Statement:
          - Principal:           
              AWS:arn of the users/roles who are allowed to manage this key
            Effect: Allow
            Action:
              - kms:Create*
              - kms:Describe*
              - kms:Enable*
              - kms:List*
              - kms:Put*
              - kms:Update*
              - kms:Revoke*
              - kms:Disable*
              - kms:Get*
              - kms:Delete*
              - kms:ScheduleKeyDeletion
              - kms:CancelKeyDeletion
              - kms:Encrypt*
              - kms:Decrypt*
            Resource: "*"
          - Principal: "*" # this is not specific enough, should be strict
            Effect: Allow
            Action:
              - kms:Decrypt*
            Resource: "*"
  PolicyDecryptKms:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      ManagedPolicyName: DecryptKmsPolicy
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Sid: AllowDecryptValues
            Effect: Allow
            Action:
              - kms:Decrypt*
            Resource: !GetAtt KMSKeyEncryption.Arn
  RoleECSTaskContainer:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: 2008-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service: ecs-tasks.amazonaws.com
            Action: sts:AssumeRole
      RoleName: ECSTaskContainerRole
      ManagedPolicyArns:
        - !Ref PolicyDecryptKms

相关内容

  • 没有找到相关文章

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium