How do I get AWS cross-account KMS keys to work?
Your key, role and policies are set up correctly. When you call describe-key on a Customer Master Key (CMK) that is on a different AWS account, you have to specify the key ARN or alias ARN in the value of the key-id parameter.
From the official docs:
To perform this operation on a CMK in a different AWS account, specify the key ARN or alias ARN in the value of the KeyId parameter.
That said, if you do something like below, it will work:
aws> kms describe-key --key-id=arn:aws:kms:us-west-2:111:key/abc-def
Related videos on Youtube
24 : 21
36 : 22
10 : 39
07 : 48
35 : 32
30 : 14
02 : 40
Ryan Fisher
A natural problem solver comfortable challenging the status quo in pursuit of better products, team cohesion, and personal development. Consistently recognized by management for ingenuity, process optimization, leadership, and the ability to intuitively spot the strengths and weaknesses of any system. Experienced in front and backend software development, DevOps and AWS infrastructure, leadership, product management, project management, SaaS services, recurring revenue products, process engineering, agile and scrum, automation/testing/TDD/CI, and requirements development. What I excel at: Challenge and the unknown, I am a self-starter and very comfortable being thrown into the deep end Working with limited structure and support, I excel early stage and intrapreneur environments Flexibility, adaptability, and rapid learning Having great perspective, I always bring something new to the table Growth, I am always learning and pushing my team to grow
Updated on June 14, 2022Comments
-
Ryan Fisher almost 2 years
I'm trying to set up cross-account access to allow for an external account to use my KMS key to decrypt data from an S3 bucket. I have the key, policies, roles set up with what I believe is the correct grants but I can't describe the key from the external account. Hoping to get some input as to what I'm doing wrong.
Account 111: Key with policy grant to root of external account (999)
{ "Version": "2012-10-17", "Id": "key-consolepolicy-3", "Statement": [ { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111:root" }, "Action": "kms:*", "Resource": "*" }, { "Sid": "Allow use of the key", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::999:root" ] }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*" }, { "Sid": "Allow attachment of persistent resources", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::999:root" ] }, "Action": [ "kms:CreateGrant", "kms:ListGrants", "kms:RevokeGrant" ], "Resource": "*", "Condition": { "Bool": { "kms:GrantIsForAWSResource": "true" } } } ] }Role in account 999 with the policy attached granting access to key from 111:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "kms:RevokeGrant", "kms:CreateGrant", "kms:ListGrants" ], "Resource": "arn:aws:kms:us-west-2:111:key/abc-def" "Condition": { "Bool": { "kms:GrantIsForAWSResource": true } } }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": [ "kms:Decrypt", "kms:Encrypt", "kms:DescribeKey" ], "Resource": "arn:aws:kms:us-west-2:111:key/abc-def" }, { "Sid": "VisualEditor2", "Effect": "Allow", "Action": [ "kms:GenerateDataKey", "kms:ReEncryptTo", "kms:ReEncryptFrom" ], "Resource": "*" } ] }Yet when I assume the role in 999 using aws-shell:
aws> kms describe-key --key-id=abc-def An error occurred (NotFoundException) when calling the DescribeKey operation: Key 'arn:aws:kms:us-west-2:999:key/abc-def' does not exist