How do I get AWS cross-account KMS keys to work?

Ryan Fisher picture Ryan Fisher · Jan 18, 2018 · Viewed 9.4k times · Source

I'm trying to set up cross-account access to allow for an external account to use my KMS key to decrypt data from an S3 bucket. I have the key, policies, roles set up with what I believe is the correct grants but I can't describe the key from the external account. Hoping to get some input as to what I'm doing wrong.

Account 111: Key with policy grant to root of external account (999)

{
  "Version": "2012-10-17",
  "Id": "key-consolepolicy-3",
  "Statement": [
    {
      "Sid": "Enable IAM User Permissions",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::111:root"
      },
      "Action": "kms:*",
      "Resource": "*"
    },
    {
      "Sid": "Allow use of the key",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::999:root"
        ]
      },
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Allow attachment of persistent resources",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::999:root"
        ]
      },
      "Action": [
        "kms:CreateGrant",
        "kms:ListGrants",
        "kms:RevokeGrant"
      ],
      "Resource": "*",
      "Condition": {
        "Bool": {
          "kms:GrantIsForAWSResource": "true"
        }
      }
    }
  ]
}

Role in account 999 with the policy attached granting access to key from 111:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "kms:RevokeGrant",
                "kms:CreateGrant",
                "kms:ListGrants"
            ],
            "Resource": "arn:aws:kms:us-west-2:111:key/abc-def"
            "Condition": {
                "Bool": {
                    "kms:GrantIsForAWSResource": true
                }
            }
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt",
                "kms:Encrypt",
                "kms:DescribeKey"
            ],
            "Resource": "arn:aws:kms:us-west-2:111:key/abc-def"
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": [
                "kms:GenerateDataKey",
                "kms:ReEncryptTo",
                "kms:ReEncryptFrom"
            ],
            "Resource": "*"
        }
    ]
}

Yet when I assume the role in 999 using aws-shell:

aws> kms describe-key --key-id=abc-def

An error occurred (NotFoundException) when calling the DescribeKey operation: Key 'arn:aws:kms:us-west-2:999:key/abc-def' does not exist

Answer

Viccari picture Viccari · Jan 18, 2018

Your key, role and policies are set up correctly. When you call describe-key on a Customer Master Key (CMK) that is on a different AWS account, you have to specify the key ARN or alias ARN in the value of the key-id parameter.

From the official docs:

To perform this operation on a CMK in a different AWS account, specify the key ARN or alias ARN in the value of the KeyId parameter.

That said, if you do something like below, it will work:

aws> kms describe-key --key-id=arn:aws:kms:us-west-2:111:key/abc-def