Reputation: 31
AWS DMS Serverless Replication - getting no permission to access custom kms key while processing a RDS source encrypted with custom kms key
Getting below error while running Serverless DMS with AWS postgres RDS source encrypted with custom kms key.
Test connection failed for endpoint 'pgdb' and replication config 'otp-trig-rep'. Failure Message: 'No permission to access Key 'arn:aws:kms:us-east-1:59018XXXXXXX:key/8743xxxx-c8xx-4fxx-8bxx-1154xxxxxxxx'''
Since, DMS serverless uses service linked role AWSServiceRoleForDMSServerless - which can't be modified, i tried providing all permissions to this role in the custom kms key policy. Still i'm getting above error.
Custom key policy snippet:
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::5901XXXXXXXX:role/aws-service-role/dms.amazonaws.com/AWSServiceRoleForDMSServerless",
]
},
"Action": "kms:*",
"Resource": "*"
}
Could anyone please suggest what am i missing, how can this be achieved.
Upvotes: 3
Views: 700
Answers (1)
Reputation: 139
I was fighting the same problem until I reviewed the auto-created kms key aliased aws/dms in an account with an existing replication instance.
After I have added these statements to my custom kms key, the permission problem got resolved.
Note how the star-principal is restricted to the same account.
{
"Version": "2012-10-17",
"Id": "auto-dms-1",
"Statement": [
{
"Sid": "Allow access through DMS for all principals in the account that are authorized to use DMS",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:CreateGrant",
"kms:ListGrants",
"kms:DescribeKey"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:ViaService": "dms.<REGION>.amazonaws.com",
"kms:CallerAccount": "<ACCOUNT>"
}
}
},
{
"Sid": "Allow direct access to key metadata to the account",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<ACCOUNT>:root"
},
"Action": [
"kms:Describe*",
"kms:Get*",
"kms:List*",
"kms:RevokeGrant"
],
"Resource": "*"
}
]
}
From the docs:
Unlike other AWS resource policies, an AWS KMS key policy does not automatically give permission to the account or any of its identities. To give permission to account administrators, the key policy must include an explicit statement that provides this permission, like this one.
Also from docs:
Unless the key policy explicitly allows it, you cannot use IAM policies to allow access to a KMS key. Without permission from the key policy, IAM policies that allow permissions have no effect.
Upvotes: 4
Related Questions
- AWS Lambda Exporting RDS Snapshot to S3 Fails with KMSKeyNotAccessibleFault - Permissions Issue
- DMS Serverless replication fails to connect to Redshift Serverless endpoint
- Create configuration backup of AWS services
- Why are AWS RDS Events notifications not received while using encrypted SNS topics?
- AWS DMS replication task from Postgres RDS to Redshift getting AccessDenied on S3 bucket
- cross account access for decrypt object with default aws/S3 KMS key
- CloudFormation refusing to create AWS::KMS::Key with least privilege
- Access Denied issue in AWS Cross Account S3 PutObject encrypted by AWS Managed Key
- AWS KMS key cannot be used by ECS container because access is denied