Menu
Running terraform for creatind a key policy in AWS KMS I am getting the error:
There are many posts about this problem but nothing helped. So, my kms.tf file is as follows:
provider "aws" {
access_key = "${var.aws_access_key}"
secret_key = "${var.aws_secret_key}"
region = "${var.aws_region}"
}
resource "aws_kms_key" "dyn_logs_server_side_cmk" {
description = "dyn-logs-sse-cmk-${var.environment}"
enable_key_rotation = "true"
policy = <<EOF
{
"Version":"2015-11-17",
"Statement":[
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::${var.account_id}:root"},
"Action": "kms:*",
"Resource": "*"
}
]
}EOF
}
That’s what I see in the output after
terraform apply "dyn-vpc.plan"
aws_kms_key.dyn_logs_server_side_cmk: Creating...
arn: "" => "<computed>"
description: "" => "dyn-logs-server-dyn"
enable_key_rotation: "" => "true"
is_enabled: "" => "true"
key_id: "" => "<computed>"
key_usage: "" => "<computed>"
policy: "" => "{\n \"Version\":\"2015-11-17\",\n \"Statement\":[\n {\n \"Sid\": \"Enable IAM User Permissions\",\n \"Effect\": \"Allow\",\n
\"Principal\": {\"AWS\": \"arn:aws:iam::12345678901234:root\"},\n \"Action\": \"kms:*\",\n \"Resource\": \"*\"\n }\n ]\n}\n"
aws_kms_key.dyn_logs_server_side_cmk: Still creating... (10s elapsed)
aws_kms_key.dyn_logs_server_side_cmk: Still creating... (20s elapsed)
Error applying plan:
1 error(s) occurred:
* aws_kms_key.dyn_logs_server_side_cmk: 1 error(s) occurred:
* aws_kms_key.dyn_logs_server_side_cmk:
MalformedPolicyDocumentException: The new key policy will not allow
you to update the key policy in the future.
308
Using the AWS Management Console policy view View the key policy for a customer managed key as described in Viewing a key policy (console). (You cannot change the key policies of AWS managed keys.) In the Key Policy section, choose Switch to policy view. Edit the key policy document, and then choose Save changes.
Sign in to the AWS Management Console and open the AWS Key Management Service (AWS KMS) console at https://console.aws.amazon.com/kms . To change the AWS Region, use the Region selector in the upper-right corner of the page. In the navigation pane, choose Customer managed keys. Choose Create key.
In my case the account id was correct but the user creating the key wasn't included in the Enable IAM User Permissions statement. I had to do this
resource "aws_kms_key" "dyn_logs_server_side_cmk" {
description = "dyn-logs-sse-cmk-${var.environment}"
enable_key_rotation = "true"
policy = <<EOF
{
"Version":"2015-11-17",
"Statement":[
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::${var.account_id}:root",
"arn:aws:iam::${var.account_id}:user/system/terraform-user"
]
},
"Action": "kms:*",
"Resource": "*"
}
]
}EOF
}
Basically, the comment from @ydaetskcoR was right. The account_id in policy was incorrect, and this resulted in the error. The MalformedPolicyDocumentException is not really informative, one needs to find a real reason
26
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With