Packer: Default permissions for KMS

Thanks for reaching out! The list of permissions is here: https://www.packer.io/docs/builders/amazon.html#iam-task-or-instance-role

@SwampDragons those permissions don't seem to address the permissions I need to use the encryption key in KMS. I've had those permissions listed there prior to asking the question. I later realized that I had to add an additional KMS:* full access to the IAM user for encryption to work.

Error that I get with the default permissions in the docs: ResourceNotReady: failed waiting for successful resource state

I'm wondering if there are permissions listed for KMS. I don't want to give it full admin access. I've played around with giving it full list/read/encrypt/decrypt permissions, but that still causes the error above.

Oh, I see! I will figure this out for you and document it ASAP.

I believe the minimum necessary policies are:

{
    "Sid": "Allow use of the key",
    "Effect": "Allow",
    "Action": [
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*"
    ],
    "Resource": "*"
}

Hi! I'm using KMS with packer in a slightly different situation, where the encryption key specified is owned by a different Aws account. I needed to add these additional permissions for it to work:

kms:CreateGrant
kms:DescribeKey

Thanks for the note; I'll add this case to the docs.

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.