个人中心
gpt4 book ai didi

amazon-web-services - 如何让 AWS 跨账户 KMS key 发挥作用?

转载 作者:行者123 更新时间:2023-12-03 01:30:20 44 4
gpt4 key购买 nike

我正在尝试设置跨帐户访问,以允许外部帐户使用我的 KMS key 来解密 S3 存储桶中的数据。我已经使用我认为正确的拨款设置了 key 、策略、角色,但我无法描述外部帐户中的 key 。希望得到一些关于我做错了什么的意见。

帐户 111:具有对外部帐户根的策略授予的 key (999)

{
  "Version": "2012-10-17",
  "Id": "key-consolepolicy-3",
  "Statement": [
    {
      "Sid": "Enable IAM User Permissions",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::111:root"
      },
      "Action": "kms:*",
      "Resource": "*"
    },
    {
      "Sid": "Allow use of the key",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::999:root"
        ]
      },
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Allow attachment of persistent resources",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::999:root"
        ]
      },
      "Action": [
        "kms:CreateGrant",
        "kms:ListGrants",
        "kms:RevokeGrant"
      ],
      "Resource": "*",
      "Condition": {
        "Bool": {
          "kms:GrantIsForAWSResource": "true"
        }
      }
    }
  ]
}

账户 999 中的角色,附加了授予对 111 key 的访问权限的策略:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "kms:RevokeGrant",
                "kms:CreateGrant",
                "kms:ListGrants"
            ],
            "Resource": "arn:aws:kms:us-west-2:111:key/abc-def"
            "Condition": {
                "Bool": {
                    "kms:GrantIsForAWSResource": true
                }
            }
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt",
                "kms:Encrypt",
                "kms:DescribeKey"
            ],
            "Resource": "arn:aws:kms:us-west-2:111:key/abc-def"
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": [
                "kms:GenerateDataKey",
                "kms:ReEncryptTo",
                "kms:ReEncryptFrom"
            ],
            "Resource": "*"
        }
    ]
}

然而,当我使用 aws-shell 在 999 中担任该角色时:

aws> kms describe-key --key-id=abc-def

An error occurred (NotFoundException) when calling the DescribeKey operation: Key 'arn:aws:kms:us-west-2:999:key/abc-def' does not exist

最佳答案

您的 key 、角色和策略设置正确。当您对不同 AWS 账户上的客户主 key (CMK) 调用 describe-key 时,您必须在 key-id 的值中指定 key ARN 或别名 ARN 参数。

来自official docs :

To perform this operation on a CMK in a different AWS account, specify the key ARN or alias ARN in the value of the KeyId parameter.

也就是说,如果你执行如下操作,它就会起作用:

aws> kms describe-key --key-id=arn:aws:kms:us-west-2:111:key/abc-def

关于amazon-web-services - 如何让 AWS 跨账户 KMS key 发挥作用?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/48317364/

44 4 0
文章推荐: drupal-7 - 在 Drupal View 中调整 CiViCRM 图像的大小
文章推荐: android-tv - Android TV 上的全分辨率 WebView
文章推荐: wpf - 如何使水平 StackPanel 中排列的元素共享其文本内容的公共(public)基线?
文章推荐: YouTube 放弃了直接 URL 和嵌入视频中的 #t 开始时间支持?
行者123
个人简介

我是一名优秀的程序员,十分优秀!

滴滴打车优惠券免费领取
滴滴打车优惠券
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com