英文:
Terraform AWS VPC and KMS: Reading KMS Key AccessDeniedException
问题
module.vpc.aws_route.private_nat_gateway[0]: 刷新状态... [id=r-rtb-0757df1e6d39122912345678987]
module.vpc_endpoints.data.aws_vpc_endpoint_service.this["s3"]: 0秒后读取完成 [id=421234567]
module.vpc_endpoints.aws_vpc_endpoint.this["s3"]: 刷新状态... [id=vpce-0c225a51234567898]
错误:读取KMS密钥(999999999-c13c-8888-a5cb-9876554321)时发生错误:读取KMS密钥(999999999-c13c-8888-a5cb-9876554321):AccessDeniedException:用户arn:aws:iam::12345678998765:user/peter.user未被授权执行kms:DescribeKey对资源arn:aws:kms:us-east-2:12345678998765:key/999999999-c13c-8888-a5cb-9876554321,因为没有基于资源的策略允许kms:DescribeKey操作
我运行以下代码来创建VPC时遇到了上述KMS密钥错误。
我有三个问题:
- 为什么以下代码使用了KMS密钥?
- 如何使以下代码不使用某人创建的KMS密钥(注意:创建密钥的人已经离开)?
- 我创建了自己的密钥,如何使用我创建的KMS密钥?
英文:
module.vpc.aws_route.private_nat_gateway[0]: Refreshing state... [id=r-rtb-0757df1e6d39122912345678987]
module.vpc_endpoints.data.aws_vpc_endpoint_service.this["s3"]: Read complete after 0s [id=421234567]
module.vpc_endpoints.aws_vpc_endpoint.this["s3"]: Refreshing state... [id=vpce-0c225a51234567898]
Error: reading KMS Key (999999999-c13c-8888-a5cb-9876554321): reading KMS Key (999999999-c13c-8888-a5cb-9876554321): AccessDeniedException: User: arn:aws:iam::12345678998765:user/peter.user is not authorized to perform: kms:DescribeKey on resource: arn:aws:kms:us-east-2:12345678998765:key/999999999-c13c-8888-a5cb-9876554321 because no resource-based policy allows the kms:DescribeKey action
I got above KMS key errors when I run the code as follows to provision VPC.
I have three questions:
- Why the code as follows uses the KMS Key?
- How to make the code as follows to not using the KMS key someone created (Note: the person who created the key has left)?
- I created my own key, how to use the KMS key I created instead?
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
version = "5.0.0"
azs = local.availability_zones
cidr = local.vpc_cidr
create_database_subnet_group = false
create_flow_log_cloudwatch_iam_role = true
create_flow_log_cloudwatch_log_group = true
database_subnets = local.database_subnets
enable_dhcp_options = true
enable_dns_hostnames = true
enable_dns_support = true
enable_flow_log = true
enable_nat_gateway = true
flow_log_cloudwatch_log_group_retention_in_days = var.days
flow_log_max_aggregation_interval = var.interval
name = var.environment
one_nat_gateway_per_az = false
private_subnets = local.private_subnets
public_subnets = local.public_subnets
single_nat_gateway = true
tags = var.tags
}
module "vpc_endpoints" {
source = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints"
version = "5.0.0"
vpc_id = module.vpc.vpc_id
tags = var.tags
endpoints = {
s3 = {
route_table_ids = flatten([module.vpc.private_route_table_ids, module.vpc.public_route_table_ids])
service = "s3"
service_type = "Gateway"
tags = { Name = "s3-vpc-endpoint" }
}
}
}
答案1
得分: 1
检查关键资源策略是否允许您的原则,并且检查您的用户的IAM策略是否能够访问并解密使用KMS密钥。
您无法以其他方式解决此问题,因为Terraform需要描述密钥以获取资源状态,因此在计划阶段失败之前无法完成计划。
英文:
Check the key resource policy if it allows your principle and also check if your IAM policy on your user is able to access and decrypt with the KMS key.
You won't be able to solve it another way because Terraform needs a describe key to get the state of the resource so it fails in the plan stage before it can finish the plan.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论