AWS KMS permission issue : User not authorized to perform kms:CreateGrant (Service: EKS StatusCode: 400)

Question

I am writing this question here after exploring couple of days around it.

My application creates AWS EKS cluster, Now I am trying to also encrypt my EKS secrets using KMS key, But I am getting below error.

User not authorized to perform kms:CreateGrant operation(Service: Eks, StatusCode:400, Request ID:....)

My application is creating an EKS cluster and uses KMS key to encrypt the kubernetes secrets.

Below is the IAM role policy attached to my application : (my_iam_role)

    {
       .......
       .......
       {
      "Sid": "KeyManagementServiceFull",
      "Action": [
        "kms:CreateAlias",
        "kms:CreateGrant",
        "kms:CreateKey",
        "kms:Decrypt",
        "kms:EnableKeyRotation",
        "kms:GenerateRandom",
        "kms:ListKeys",
        "kms:ListKeyPolicies",
        "kms:DescribeKey",
        "kms:ListAliases",
        "kms:Encrypt",
        "kms:TagResource",
        "kms:DeleteAlias",
        "kms:PutKeyPolicy",
        "kms:ScheduleKeyDeletion"
      ],
      "Effect": "Allow",
      "Resource": [
        "*"
       ]
      },
    }

Below is kms key policy attached to the KMS key used to encrypt EKS k8s secrets :

    {
    "Version": "2012-10-17",
    "Id": "key-default-1",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::ACCOUNT_ID:root"
            },
            "Action": "kms:*",
            "Resource": "*"
        },
        {
            "Sid": "Allow use of the key",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::ACCOUNT_ID:root",
                    "arn:aws:iam::ACCOUNT_ID:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling",
                    "arn:aws:iam::ACCOUNT_ID:role/my_iam_role"
                ]
            },
            "Action": [
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:Encrypt",
                "kms:DescribeKey",
                "kms:Decrypt"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:PrincipalOrgID": "o-myorgid"
                }
            }
        },
        {
            "Sid": "Allow attachment of persistent resources",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::ACCOUNT_ID:root",
                    "arn:aws:iam::ACCOUNT_ID:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling",
                    "arn:aws:iam::ACCOUNT_ID:role/my_iam_role"
                ]
            },
            "Action": [
                "kms:RevokeGrant",
                "kms:ListGrants",
                "kms:CreateGrant"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:PrincipalOrgID": "o-myorgid"
                },
                "Bool": {
                    "kms:GrantIsForAWSResource": "true"
                }
            }
        }
    ]
  }

To fix this I have added kms:CreateGrant in the 2nd statement block (Allow use of the key) and then It started working.

I am still trying to figure it out why It started working after this change.

Can It be something around the condition in key policy:

 "Bool": {
            "kms:GrantIsForAWSResource": "true"
         }

I might be missing some basic thing here. Can someone help me to check If there is some issue with my policy definitions.

Thanks in advance !!