Terraform AWS VPC 和 KMS:读取 KMS 密钥 AccessDeniedException

huangapple go评论73阅读模式
英文:

Terraform AWS VPC and KMS: Reading KMS Key AccessDeniedException

问题

module.vpc.aws_route.private_nat_gateway[0]: 刷新状态... [id=r-rtb-0757df1e6d39122912345678987]
module.vpc_endpoints.data.aws_vpc_endpoint_service.this["s3"]: 0秒后读取完成 [id=421234567]
module.vpc_endpoints.aws_vpc_endpoint.this["s3"]: 刷新状态... [id=vpce-0c225a51234567898]

错误:读取KMS密钥(999999999-c13c-8888-a5cb-9876554321)时发生错误:读取KMS密钥(999999999-c13c-8888-a5cb-9876554321):AccessDeniedException:用户arn:aws:iam::12345678998765:user/peter.user未被授权执行kms:DescribeKey对资源arn:aws:kms:us-east-2:12345678998765:key/999999999-c13c-8888-a5cb-9876554321,因为没有基于资源的策略允许kms:DescribeKey操作

我运行以下代码来创建VPC时遇到了上述KMS密钥错误。
我有三个问题:

  1. 为什么以下代码使用了KMS密钥?
  2. 如何使以下代码不使用某人创建的KMS密钥(注意:创建密钥的人已经离开)?
  3. 我创建了自己的密钥,如何使用我创建的KMS密钥?
英文:

module.vpc.aws_route.private_nat_gateway[0]: Refreshing state... [id=r-rtb-0757df1e6d39122912345678987]
module.vpc_endpoints.data.aws_vpc_endpoint_service.this["s3"]: Read complete after 0s [id=421234567]
module.vpc_endpoints.aws_vpc_endpoint.this["s3"]: Refreshing state... [id=vpce-0c225a51234567898]

Error: reading KMS Key (999999999-c13c-8888-a5cb-9876554321): reading KMS Key (999999999-c13c-8888-a5cb-9876554321): AccessDeniedException: User: arn:aws:iam::12345678998765:user/peter.user is not authorized to perform: kms:DescribeKey on resource: arn:aws:kms:us-east-2:12345678998765:key/999999999-c13c-8888-a5cb-9876554321 because no resource-based policy allows the kms:DescribeKey action

I got above KMS key errors when I run the code as follows to provision VPC.
I have three questions:

  1. Why the code as follows uses the KMS Key?
  2. How to make the code as follows to not using the KMS key someone created (Note: the person who created the key has left)?
  3. I created my own key, how to use the KMS key I created instead?
module "vpc" {
  source = "terraform-aws-modules/vpc/aws"
  version = "5.0.0"

  azs                                             = local.availability_zones
  cidr                                            = local.vpc_cidr
  create_database_subnet_group                    = false
  create_flow_log_cloudwatch_iam_role             = true
  create_flow_log_cloudwatch_log_group            = true
  database_subnets                                = local.database_subnets
  enable_dhcp_options                             = true
  enable_dns_hostnames                            = true
  enable_dns_support                              = true
  enable_flow_log                                 = true
  enable_nat_gateway                              = true
  flow_log_cloudwatch_log_group_retention_in_days = var.days
  flow_log_max_aggregation_interval               = var.interval
  name                                            = var.environment
  one_nat_gateway_per_az                          = false
  private_subnets                                 = local.private_subnets
  public_subnets                                  = local.public_subnets
  single_nat_gateway                              = true
  tags                                            = var.tags
}

module "vpc_endpoints" {
  source = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints"
  version = "5.0.0"
  vpc_id = module.vpc.vpc_id
  tags   = var.tags

  endpoints = {
    s3 = {
      route_table_ids = flatten([module.vpc.private_route_table_ids, module.vpc.public_route_table_ids])
      service         = "s3"
      service_type    = "Gateway"
      tags            = { Name = "s3-vpc-endpoint" }
    }
  }
}

答案1

得分: 1

检查关键资源策略是否允许您的原则,并且检查您的用户的IAM策略是否能够访问并解密使用KMS密钥。

您无法以其他方式解决此问题,因为Terraform需要描述密钥以获取资源状态,因此在计划阶段失败之前无法完成计划。

英文:

Check the key resource policy if it allows your principle and also check if your IAM policy on your user is able to access and decrypt with the KMS key.

You won't be able to solve it another way because Terraform needs a describe key to get the state of the resource so it fails in the plan stage before it can finish the plan.

huangapple
  • 本文由 发表于 2023年6月29日 06:00:11
  • 转载请务必保留本文链接:https://go.coder-hub.com/76576953.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定