我有关于 KMS 和 iam 设置的问题 我使用 terraform 构建基础设施,在设置 kms 并将它们加密到我的 ec2、s3、rds 中后,它告诉我错误:
Status Reason: Instance became unhealthy while waiting for instance to be in InService state. Termination Reason: Client.InvalidKMSKey.InvalidState: The KMS key provided is in an incorrect stateThen I google it and try to add the policy into the kms, it will tell me that`
│ Error: updating KMS Key (2a1964c4-1d94-41fa-bc35-e024f390169e) policy: operation error KMS: PutKeyPolicy, https response error StatusCode: 400, RequestID: 7fa37973-f309-4b3c-9b3b-46f74ffbd6c0, InvalidArnException: An ARN in the specified key policy is invalid.
│
│ with aws_kms_key.secret_manager_key,
│ on kms.tf line 2, in resource "aws_kms_key" "secret_manager_key":
│ 2: resource "aws_kms_key" "secret_manager_key" {
│
╵
╷
│ Error: updating KMS Key (11622042-efa3-4f4c-ba89-614a651ec9c9) policy: operation error KMS: PutKeyPolicy, https response error StatusCode: 400, RequestID: 8a4df79f-bef2-43d7-a34d-d64584247138, InvalidArnException: An ARN in the specified key policy is invalid.
│
│ with aws_kms_key.ec2_kms_key,
│ on kms.tf line 48, in resource "aws_kms_key" "ec2_kms_key":
│ 48: resource "aws_kms_key" "ec2_kms_key" {
│
╵
╷
│ Error: updating KMS Key (7faafee5-8e51-4e2a-b104-fc835196bf37) policy: operation error KMS: PutKeyPolicy, https response error StatusCode: 400, RequestID: 0c7f4730-4dc6-485f-8e51-9bc0bc55ec04, MalformedPolicyDocumentException: The new key policy will not allow you to update the key policy in the future.
│
│ with aws_kms_key.rds_kms_key,
│ on kms.tf line 83, in resource "aws_kms_key" "rds_kms_key":
│ 83: resource "aws_kms_key" "rds_kms_key" {
│
╵
╷
│ Error: updating KMS Key (020cbf71-e114-4a2f-8d0a-9cb7f2f5f965) policy: operation error KMS: PutKeyPolicy, https response error StatusCode: 400, RequestID: b7e7a0a4-6c39-47b6-ad0e-bb23a1212076, InvalidArnException: An ARN in the specified key policy is invalid.
│
│ with aws_kms_key.s3_kms_key,
│ on kms.tf line 117, in resource "aws_kms_key" "s3_kms_key":
│ 117: resource "aws_kms_key" "s3_kms_key" {
│ `
我已经检查过arn;他们处于 iam 角色,并且手臂是正确的,我不知道为什么他们给我错误。 我的代码如下所示:
resource "aws_kms_key" "secret_manager_key" {
description = "KMS key for Secrets Manager"
deletion_window_in_days = 10
enable_key_rotation = true
rotation_period_in_days = 90
policy = jsonencode({
Version = "2012-10-17",
Statement = [
{
Sid = "Allow the account to update key policy",
Effect = "Allow",
Principal = {
AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
},
Action = [
"kms:PutKeyPolicy"
],
Resource = "*"
},
{
Sid = "Allow attachment of persistent resources"
Effect = "Allow"
Principal = {
AWS = [
"arn:aws:iam::${data.aws_caller_identity.current.account_id}:instance-profile/ec2_role_profile",
"arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
]
}
Action = [
"kms:Encrypt",
"kms:Decrypt",
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
]
Resource = "*"
Condition = {
Bool = {
"kms:GrantIsForAWSResource" = "true"
}
}
}
]
})
}
resource "aws_kms_key" "ec2_kms_key" {
description = "KMS key for EC2"
deletion_window_in_days = 10
enable_key_rotation = true
rotation_period_in_days = 90
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Sid = "Allow attachment of persistent resources"
Effect = "Allow"
Principal = {
AWS = [
"arn:aws:iam::${data.aws_caller_identity.current.account_id}:instance-profile/ec2_role_profile",
"arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
]
}
Action = [
"kms:Encrypt",
"kms:Decrypt",
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
]
Resource = "*"
Condition = {
Bool = {
"kms:GrantIsForAWSResource" = "true"
}
}
}
]
})
}
resource "aws_kms_key" "rds_kms_key" {
description = "KMS key for RDS"
deletion_window_in_days = 10
enable_key_rotation = true
rotation_period_in_days = 90
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Sid = "Allow attachment of persistent resources"
Effect = "Allow"
Principal = {
AWS = [
"arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS"
]
}
Action = [
"kms:Encrypt",
"kms:Decrypt",
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
]
Resource = "*"
Condition = {
Bool = {
"kms:GrantIsForAWSResource" = "true"
}
}
}
]
})
}
resource "aws_kms_key" "s3_kms_key" {
description = "KMS key for S3"
deletion_window_in_days = 10
enable_key_rotation = true
rotation_period_in_days = 90
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Sid = "Allow attachment of persistent resources"
Effect = "Allow"
Principal = {
AWS = [
"arn:aws:iam::${data.aws_caller_identity.current.account_id}:instance-profile/ec2_role_profile",
"arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
]
}
Action = [
"kms:Encrypt",
"kms:Decrypt",
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
]
Resource = "*"
Condition = {
Bool = {
"kms:GrantIsForAWSResource" = "true"
}
}
}
]
})
}
resource "aws_kms_alias" "ec2_key_alias" {
name = "alias/ec2-key"
target_key_id = aws_kms_key.ec2_kms_key.id
}
resource "aws_kms_alias" "rds_key_alias" {
name = "alias/rds-key"
target_key_id = aws_kms_key.rds_kms_key.id
}
resource "aws_kms_alias" "s3_key_alias" {
name = "alias/s3-key"
target_key_id = aws_kms_key.s3_kms_key.id
}
resource "aws_kms_alias" "secrets_manager_key_alias" {
name = "alias/secrets-manager-key"
target_key_id = aws_kms_key.secret_manager_key.id
}
出现此问题的原因有两个,第一个原因是 KMS 密钥被禁用或处于待删除状态,请尝试运行
aws kms describe-key --key-id <key-id>第二件事是 KMS 密钥角色本身,它还需要向需要使用它的角色授予权限,或者更简单地授予其访问完整帐户的权限:
{
"Sid": "AllowRootAccountFullAccess",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<your-account-id>:root"
},
"Action": "kms:*",
"Resource": "*"
}
请重新检查这两件事,看看是否存在问题。