每当我尝试创建CMK密钥时,都会出现错误:{“ errorMessage”:“用户:arn:aws:sts :: [...]无权执行:kms:CreateKey。
如何为特定IAM用户创建CMK密钥?我猜我需要调用该用户的IAM策略?
AWSKMS kms = AWSKMSClientBuilder.defaultClient();
String desc = "My CMK key";
CreateKeyRequest createCMKreq = new
CreateKeyRequest().withDescription(desc);
CreateKeyResult createCMKresult = kms.createKey(createCMKreq);
最佳答案
您需要IAM User才能将AWSKeyManagementServicePowerUser托管策略附加到用户。
您可以附加以下政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:CreateAlias",
"kms:CreateKey",
"kms:DeleteAlias",
"kms:Describe*",
"kms:GenerateRandom",
"kms:Get*",
"kms:List*",
"kms:TagResource",
"kms:UntagResource",
"iam:ListGroups",
"iam:ListRoles",
"iam:ListUsers"
],
"Resource": "*"
}
]
}
希望这可以帮助