The new key policy will not allow you to update the key policy in the future

Rabadash8820 picture Rabadash8820 · Feb 2, 2017 · Viewed 8.7k times · Source

The title says it all. I am getting this error whenever I try to create a KMS key via an AWS CloudFormation template. I am creating the template as an IAM user with administrative permissions, and I want the key to be manageable by any IAM user in the same AWS account with KMS permissions. I am using the following YAML resource definition for the key:

LambdaKmsKey:
    Type: AWS::KMS::Key
    Properties:
      Enabled: true
      KeyPolicy:
        Version: 2012-10-17
        Statement:
        - Effect: Allow
          Action: kms:*
          Principal:
            AWS: <Principle>

And yet, NONE of the following values for <Principal> are working, even if I try to create the stack as the root user!

  • !Join [ "", [ "arn:aws:iam::", !Ref "AWS::AccountId", ":root" ] ]
  • !Join [ "", [ "arn:aws:sts::", !Ref "AWS::AccountId", ":root" ] ]
  • !Ref "AWS::AccountId"

I can't just hardcode my user name for the Principal because I want this template to be instantiable by anyone with stack creation permissions. Does anyone know how to resolve this enormously frustrating situation? Thanks in advance.

EDIT:

I should mention that I no longer define KMS Key policies in CloudFormation Templates. In fact, I now avoid defining any security resources in my CF Templates at all, such as IAM entities, policies, and ACM certificates. My reasons for this are described in this GitHub issue.

Answer

spg picture spg · Feb 2, 2017

You are missing the Resource: "*" attribute. This worked for me:

  LambdaKmsKey:
    Type: AWS::KMS::Key
    Properties:
      Enabled: true
      KeyPolicy:
        Version: 2012-10-17
        Statement:
        - Effect: Allow
          Action: kms:*
          Resource: "*"
          Principal:
            AWS: !Join [ "", [ "arn:aws:iam::", !Ref "AWS::AccountId", ":root" ] ]

The Resource: "*" is required and is the only possible value:

Resource – (Required) In a key policy, you use "*" for the resource, which means "this CMK." A key policy applies only to the CMK it is attached to.

See https://aws.amazon.com/premiumsupport/knowledge-center/update-key-policy-future/ for an example.