DEVHIDE
Login Or Sign up

Terraform KMS access denied?

1.9k Views Asked by At

I'm having a problem getting terraform to decyript my KMS cipertext.

I have used the aws cli to create a new KMS cipertext.

aws kms create-key
aws kms create-alias --alias-name alias/some-name --target-key-id KEYID
aws kms encrypt --key-id KEYID --plaintext SOMETEXT

In my terraform file I have added:

data "aws_kms_secrets" "example" {
  secret {
    name = "some-name"
    payload = "AQICAHgVf2E9PsbkjhirN4jL+dPBwssdKYuzvWfinKOjd/F3CAHsILNXf2iPu08U0FgT88FcAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMVxbKhOhe6Ykgqrc8AgEQgDv9fPIMcjvGOpK78J43xMMxR9C35cJvFT+JAHTxgd5Nk5lNfS+/AyJY+5W4TVq9sLw0Cz8ziSM/HW2xVg=="
  }
}

But, when I run terraform plan I get the following error:

data.aws_kms_secrets.example: Refreshing state...

Error: Failed to decrypt 'some-name': AccessDeniedException: The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access.
status code: 400, request id: 8daef259-61b4-4cb0-9991-bb84ad76c71a

However, I can use the aws cli to successfuly decrypt the cipertext:

aws kms decrypt --profile=freid --region=eu-west-2 --ciphertext-blob fileb://<(echo AQICAHgVf2E9PsbkjhirN4jL+dPBwssdKYuzvWfinKOjd/F3CAHsILNXf2iPu08U0FgT88FcAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMVxbKhOhe6Ykgqrc8AgEQgDv9fPIMcjvGOpK78J43xMMxR9C35cJvFT+JAHTxgd5Nk5lNfS+/AyJY+5W4TVq9sLw0Cz8ziSM/HW2xVg== | base64 -D) --query Plaintext --output text | base64 -D

Both my cli and terraform use the same aws creds so I dont think it is a permissions issue. I am using the region eu-west-2, but when I run terraform plan it asks me to set the provider.aws.region which I set to eu-west-2. Im not sure why it asks me to set this because in the plan I set it anyway to eu-west-2:

provider aws {
  profile = "freid"
  region = "eu-west-2"
}

So, I am kind of confussed as to why terraform is getting an access denied excpetion. Any help would be greatly appreachiated, you can find my tf files here: https://github.com/redstraw/sommelier/tree/master/infrastructure

amazon-web-services terraform terraform-provider-aws amazon-kms
Original Q&A
1

There are 1 best solutions below

3
On

I didn't realise, but you need to add the provider into every .tf file when you are not using the default aws profile.

Once, I added this to example.tf it started working:

provider aws {
  profile = "freid" 
  region = "eu-west-2" 
}

I'm not entirely sure why this is the case. If anyone knows why please comment.

Related Questions in AMAZON-WEB-SERVICES

Related Questions in TERRAFORM

Related Questions in TERRAFORM-PROVIDER-AWS

Related Questions in AMAZON-KMS

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.