I have an sso user, this user assume a role that has these rights :
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:CreateBucket",
"s3:ListBucketVersions",
"s3:GetAccountPublicAccessBlock",
"s3:GetBucketPublicAccessBlock",
"s3:GetBucketPolicyStatus",
"s3:GetBucketAcl",
"s3:ListAccessPoints"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::terraform-state-sso-iam*"
]
},
{
"Effect": "Allow",
"Action": [
"kms:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::terraform-state-sso-iam/*",
"arn:aws:s3:::terraform-state-sso-iam*/*"
]
},
{
"Effect": "Deny",
"Action": [
"s3:DeleteBucket"
],
"Resource": [
"arn:aws:s3:::terraform-state-sso-iam*"
]
}
This user then create a kms key which has this rights :
{
"Id": "key-consolepolicy-3",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::1111111111:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::11111111:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_sso-iam-permission_323b0ee84d7a8613"
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::1111111111:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_sso-iam-permission_323b0ee84d7a8613"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::1111111111:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_sso-iam-permission_323b0ee84d7a8613"
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
]
}
Then i create an S3 bucket with encryption enabled using by default the kms key i just created. But when i try to upload a file to the bucket this is the error i have :
AccessDenied: User:
arn:aws:sts::11111111111:assumed-role/AWSReservedSSO_sso-iam-
permission_323b0ee84d7a8613/[email protected]
is not authorized to perform: kms:GenerateDataKey on resource:
arn:aws:kms:us-east-1:11111111:key/4c786426-fg58-sfg7-45ft-sde5f45sd6
with an explicit deny in an identity-based policy
Am i missing some rights somewhere ?
Edit:
As the first comment suggest i did remove this :
{
"Action": "*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"11.11.11.11/32"
]
}
},
"Effect": "Deny",
"Resource": "*"
},
and now it's working, but it's strange that all the other action works and only the upload fail, because my ip didn't change the whole time
Explicit deny policies always override any & all allow IAM policies.
An administrator or another policy attached to your IAM user is denying access to one of the following:
kms:GenerateDataKey
in generalarn:aws:kms:us-east-1:11111111:key/4c786426-fg58-sfg7-45ft-sde5f45sd6
in generalkms:GenerateDataKey
onarn:aws:kms:us-east-1:11111111:key/4c786426-fg58-sfg7-45ft-sde5f45sd6
Find & remove the deny policy so that any allow policies can actually take effect.