I am writing this question here after exploring couple of days around it.
My application creates AWS EKS cluster, Now I am trying to also encrypt my EKS secrets using KMS key, But I am getting below error.
User not authorized to perform kms:CreateGrant operation(Service: Eks, StatusCode:400, Request ID:....)
My application is creating an EKS cluster and uses KMS key to encrypt the kubernetes secrets.
Below is the IAM role policy attached to my application : (my_iam_role
)
{
.......
.......
{
"Sid": "KeyManagementServiceFull",
"Action": [
"kms:CreateAlias",
"kms:CreateGrant",
"kms:CreateKey",
"kms:Decrypt",
"kms:EnableKeyRotation",
"kms:GenerateRandom",
"kms:ListKeys",
"kms:ListKeyPolicies",
"kms:DescribeKey",
"kms:ListAliases",
"kms:Encrypt",
"kms:TagResource",
"kms:DeleteAlias",
"kms:PutKeyPolicy",
"kms:ScheduleKeyDeletion"
],
"Effect": "Allow",
"Resource": [
"*"
]
},
}
Below is kms key policy attached to the KMS key used to encrypt EKS k8s secrets :
{
"Version": "2012-10-17",
"Id": "key-default-1",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT_ID:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::ACCOUNT_ID:root",
"arn:aws:iam::ACCOUNT_ID:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling",
"arn:aws:iam::ACCOUNT_ID:role/my_iam_role"
]
},
"Action": [
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:Encrypt",
"kms:DescribeKey",
"kms:Decrypt"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": "o-myorgid"
}
}
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::ACCOUNT_ID:root",
"arn:aws:iam::ACCOUNT_ID:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling",
"arn:aws:iam::ACCOUNT_ID:role/my_iam_role"
]
},
"Action": [
"kms:RevokeGrant",
"kms:ListGrants",
"kms:CreateGrant"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": "o-myorgid"
},
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
]
}
To fix this
I have added kms:CreateGrant
in the 2nd statement block (Allow use of the key
) and then It started working.
I am still trying to figure it out why It started working after this change.
Can It be something around the condition in key policy:
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
I might be missing some basic thing here. Can someone help me to check If there is some issue with my policy definitions.
Thanks in advance !!