Terraform: Can't create a aws_kms_key w/ a group
I'm trying to change my aws_kms_key to use a group instead of user as principal, but that gave me an error.
Terraform Version
Terraform v0.8.1
Affected Resource(s)
Please list the resources as a list, for example:
- aws_kms_key
Terraform Configuration Files
This part works:
resource "aws_kms_key" "lambda-slack" {
description = "Lambda/Slack integration key"
enable_key_rotation = "true"
policy = <<LAMBDA_SLACK_KEY
{
"Id": "key-consolepolicy-2",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
]
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/turbo",
"arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/otheruser",
]
},
"Action": [
"kms:Create*",
[etc]
],
"Resource": "*"
},
[etc]
}
But if I change the ...:user/... to ONE ...:group/admins (which exists, I'm using it in a aws_iam_policy_document successfully), then I get the error
* aws_kms_key.lambda-slack: InvalidArnException:
FransUrbo
All 7 comments
@FransUrbo Hi,
Actually this is not a bug of Terraform but AWS specification.
http://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
Principal – (Required) The principal is the identity that the permissions in the policy statement apply to. You can specify AWS accounts (root), IAM users, IAM roles, and some AWS services as principals in a key policy. IAM groups are not valid principals.
Although it can not be done by the KMS key policy alone, by combining with the IAM policy, it is possible for the IAM group to manage users who can access the KMS key.
http://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying.html
Allowing Multiple IAM Users to Access a CMK
IAM groups are not valid principals in a key policy. To allow multiple IAM users to access a CMK, do one of the following:
Add each IAM user to the key policy. This approach requires that you update the key policy each time the list of authorized users changes.
Ensure that the key policy includes the statement that enables IAM policies to allow access to the CMK. Then create an IAM policy that allows access to the CMK, and then attach that policy to an IAM group that contains the authorized IAM users. Using this approach, you don't need to modify any policies when the list of authorized users changes. Instead, you only need to add or remove those users from the appropriate IAM group.
It's a bit boring, but if you use KMS frequently you can put it together in a module.
minamijoyo
on 11 Feb 2017
I barely understand the second way of doing it. Do you have an example to do this?
FransUrbo
on 15 Feb 2017
@FransUrbo I created an example that controls IAM users who can access KMS key with the IAM group.
https://github.com/minamijoyo/terraform-kms-example
I hope this helps you.
minamijoyo
on 15 Feb 2017
Yeah, that helped. I think I get it now. Seems simple enough - famous last words :).
Thanx!
FransUrbo
on 15 Feb 2017
I'm glad to help 😄
minamijoyo
on 16 Feb 2017
Closing this :) Thanks for the help in determining that it's not a Terraform bug @minamijoyo
stack72
on 30 Mar 2017
I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
![hashibot[bot] picture](https://avatars2.githubusercontent.com/in/8332?v=4&s=40)
hashibot[bot]
on 14 Apr 2020
Related issues
rkulagowski
·
3Comments
c4milo
·
3Comments
Seraf
·
3Comments
carl-youngblood
·
3Comments
rjinski
·
3Comments