每当我尝试创建CMK密钥时,都会出现错误:{“ errorMessage”:“用户:arn:aws:sts :: [...]无权执行:kms:CreateKey。

如何为特定IAM用户创建CMK密钥?我猜我需要调用该用户的IAM策略?

AWSKMS kms = AWSKMSClientBuilder.defaultClient();

String desc = "My CMK key";

CreateKeyRequest createCMKreq = new
CreateKeyRequest().withDescription(desc);
CreateKeyResult createCMKresult = kms.createKey(createCMKreq);

最佳答案

您需要IAM User才能将AWSKeyManagementServicePowerUser托管策略附加到用户。

您可以附加以下政策:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Action": [
            "kms:CreateAlias",
            "kms:CreateKey",
            "kms:DeleteAlias",
            "kms:Describe*",
            "kms:GenerateRandom",
            "kms:Get*",
            "kms:List*",
            "kms:TagResource",
            "kms:UntagResource",
            "iam:ListGroups",
            "iam:ListRoles",
            "iam:ListUsers"
        ],
        "Resource": "*"
    }
 ]
}


希望这可以帮助

07-24 09:39
查看更多