CODEWITHSUNDEEP
javaamazon-web-servicesamazon-s3aws-lambdaaws-sdk
Baked Inhalf
Baked Inhalf

Reputation: 3735

AWS how to create CMK key from Java for specific IAM user

Whenever I try to create a CMK key I get an error: {"errorMessage":"User: arn:aws:sts:: [...] is not authorized to perform: kms:CreateKey.

How can I create the CMK key for a specific IAM user? I'm guessing I need to invoke that user's IAM policy?

AWSKMS kms = AWSKMSClientBuilder.defaultClient();

String desc = "My CMK key";

CreateKeyRequest createCMKreq = new 
CreateKeyRequest().withDescription(desc);
CreateKeyResult createCMKresult = kms.createKey(createCMKreq);

Upvotes: 1

Views: 884

Answers (2)

Vijayanath Viswanathan
Vijayanath Viswanathan

Reputation: 8541

Please atach below policy to your IAM user policy,

{
  "Sid": "Enable IAM User Permissions",
  "Effect": "Allow",
  "Principal": {"AWS": [
    "arn:aws:iam::111122223333:user/KMSUser",
    "arn:aws:iam::111122223333:role/KMSRole", // ADD ALL NEEDED USERS HERE
    "arn:aws:iam::444455556666:root"
  ]},,
  "Action": "kms:*", //CHANGE * IF YOU DON'T NEED FULL PERMISSION
  "Resource": "*" //CHANGE * IF YOU DON'T NEED FULL PERMISSION
}

Giving '*' for permission is not all a good idea as it will provide full access. So please narrow down the permission according to your requirment.

It would be worth read below two official documentation on the same,

http://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html

http://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html

http://docs.aws.amazon.com/kms/latest/developerguide/control-access-overview.html

Upvotes: 1

Kush Vyas
Kush Vyas

Reputation: 6079

You need IAM User to have AWSKeyManagementServicePowerUser managed policy to attached to the user.

You can attach this Policy :

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Action": [
            "kms:CreateAlias",
            "kms:CreateKey",
            "kms:DeleteAlias",
            "kms:Describe*",
            "kms:GenerateRandom",
            "kms:Get*",
            "kms:List*",
            "kms:TagResource",
            "kms:UntagResource",
            "iam:ListGroups",
            "iam:ListRoles",
            "iam:ListUsers"
        ],
        "Resource": "*"
    }
 ]
}

Hope this Helps

Upvotes: 2

Related Questions