Reputation: 742
Getting MalformedPolicyDocumentException error when attaching KMS key policy to key using terraform
With Terraform, I am trying to attach a iam policy document to aws_kms_key_policy resource. I get this error when trying to apply:
╷ │ Error: attaching KMS Key policy (d748265c-7fcc-4e3c-8f85-5fe6eefb6e8a): updating policy: MalformedPolicyDocumentException: The new key policy will not allow you to update the key policy in the future. │ │ with module.*****.aws_kms_key_policy.origin_access, │ on ../modules/ui/kms.tf line 12, in resource "aws_kms_key_policy" "origin_access": │ 12: resource "aws_kms_key_policy" "origin_access" {
This is the policy document:
data "aws_iam_policy_document" "key_policy" {
statement {
sid = "Allow cloudfront KMS Use"
effect = "Allow"
principals {
type = "Service"
identifiers = ["cloudfront.amazonaws.com"]
}
principals {
type = "AWS"
identifiers = ["arn:aws:iam::${var.account}:root"]
}
actions = [
"kms:*"
]
resources = ["*"]
condition {
test = "StringEquals"
variable = "AWS:SourceArn"
values = ["${aws_cloudfront_distribution.s3_distribution.arn}"]
}
}
}
This is the KMS resources:
resource "aws_kms_key" "origin_bucket_key" {
description = "This key is used to encrypt bucket objects"
deletion_window_in_days = 10
}
resource "aws_kms_alias" "key_alias" {
name = "alias/${var.env}-key"
target_key_id = aws_kms_key.origin_bucket_key.key_id
}
resource "aws_kms_key_policy" "origin_access" {
key_id = aws_kms_key.origin_bucket_key.id
policy = data.aws_iam_policy_document.key_policy.json
}
FYI, I did get the same error using EOF and attaching policy directly to aws_kms_key_policy policy field. I tried many other variations but couldn't get it to work. I also have AdministratorAccess attached to my IAM user. Example key policy I am trying to create is here. Is this error informative and how can I get passed this?
Upvotes: 0
Views: 2149
Answers (1)
Reputation: 742
From the help of AWS support and helpful comment by Mark B, I was able to solve the problem. Firstly, I had to delete the key because the error states the key can no longer be updated. Secondly, I had to split the policy into two statements because the original one is considered malformed (information on why at bottom). The proper policy document is below:
data "aws_iam_policy_document" "key_policy" {
statement {
sid = "Allow root KMS Use"
effect = "Allow"
principals {
type = "AWS"
identifiers = ["arn:aws:iam::${var.account}:root"]
}
actions = [
"kms:*"
]
resources = ["*"]
}
statement {
sid = "Allow cloudfront KMS Use"
effect = "Allow"
principals {
type = "Service"
identifiers = ["cloudfront.amazonaws.com"]
}
actions = [
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKey*"
]
resources = ["*"]
condition {
test = "StringEquals"
variable = "AWS:SourceArn"
values = ["${aws_cloudfront_distribution.s3_distribution.arn}"]
}
}
}
Edit: The statement was trying to apply a condition to both root IAM user and Cloudfront. The condition was not valid for root user and therefore could never update it.
Upvotes: 0
Related Questions
- Terraform AWS bucket policy document, ARN gets changed
- How to secure access to a KMS key and setup it's resource policy
- Terraform encountered: unmarshaling policy 1: value of type awspolicy.intermediatePolicyDocument
- error creating KMS Key with terraform code with error message MalformedPolicyDocumentException
- Error putting S3 policy: MalformedPolicy: Invalid principal in policy
- AWS IAM and KMS policy 'muddlement'
- Terraform AWS role policy fails when adding permissions
- Terraform malformed policy