I have Encrypted SNS topic with KMS key. Here is KMS policy:
Type: 'AWS::KMS::Key'
Properties:
Description: Key for SNS Encryption
Enabled: true
EnableKeyRotation: true
KeyPolicy:
Version: 2012-10-17
Id: KmsKeyPolicy
Statement:
- Sid: AllowDFX5AdminPermissionSet
Effect: Allow
Principal:
AWS: !Ref ParamKMSKeyAdministratorUserRoleArn
Action:
- kms:Create*
- kms:Describe*
- kms:Enable*
- kms:List*
- kms:Put*
- kms:Update*
- kms:Revoke*
- kms:Disable*
- kms:Get*
- kms:Delete*
- kms:TagResource
- kms:UntagResource
- kms:ScheduleKeyDeletion
- kms:CancelKeyDeletion
Resource: '*'
- Sid: AllowAccountPoliciesToUseKey
Effect: Allow
Principal:
Service:
- states.amazonaws.com
- sns.amazonaws.com
Action:
- kms:Encrypt
- kms:Decrypt
- kms:DescribeKey
- kms:GenerateDataKey
- kms:ReEncrypt*
Resource: '*'
My state machine role has appropriate permissions:
Effect: Allow
Action:
- kms:Encrypt
- kms:ReEncrypt*
- kms:Decrypt
- kms:GenerateDataKey*
Resource: !Ref ParamKmsKeyArn
However, my state machine is giving me a following error: User: arn:aws:sts::190565753270:assumed-role/dfx5-health-monitoring-dev-StepFun-StepFunctionRole-kMolFlKjZ3lh/HxHgpfIkpnjBOOhbdJevmlLNhdAkSNhL is not authorized to perform: kms:GenerateDataKey on resource: arn:aws:kms:us-east-1:190565753270:key/c5697944-70f3-4806-b94a-0e081826ee25 because no resource-based policy allows the kms:GenerateDataKey action
This error is telling me that my state machine role has not KMS permissions but it is there. I guess the problem will be with KMS policy. Any ideas please?
As Olakunle indicated, you must include the IAM role that the state machine is using. Some services send directly to SNS, but Step functions is not one of them (See https://docs.aws.amazon.com/sns/latest/dg/sns-key-management.html) But a few points:
If you directly give permissions to an IAM role in the KMS key policy, you do not need to give permissions in the IAM policy. This is effectively the same as in any other resource policy, except that with KMS, you must give permissions in the Key Policy, it cannot only be done in the IAM Policy.
arn:aws:iam::ACCOUNT:root, you are not granting all roles permission, but you are delegating access to the key to IAM, which means then you give access by adding permissions in the IAM role policy (but only to the permissions you permit in the key policy).In this case you do not grant permissions to the Service. The IAM Role is the principal that needs permissions. If you want to restrict access to it being used with a specific service, then you need a condition to ensure that it is done VIA the service, and within that region. For example, here is how you would do it in JSON. I included both the section for granting the role access, and if one of the services that send directly to SNS (per the link above) was to be given access.