Cannot replicate multi-region key due to missing permission
kstevensonnv opened this issue · 2 comments
Description
When creating a multi-region key, the 'key_administrators' IAM policy does not provide the 'kms:ReplicateKey' permission and replication fails with an access denied error.
The comment above the IAM policy for 'key_administrators' points to AWS KMS docs - Default key policy (key administrators) and states:
AWS KMS adds the following permissions to the default key administrators statement when you create special-purpose keys.
kms:ReplicateKey
The kms:ReplicateKey permission allows key administrators to create a replica of a multi-Region primary key in a different AWS Region. This permission is included in the key policy only when you create a multi-Region primary or replica key.kms:UpdatePrimaryRegion
The kms:UpdatePrimaryRegion permission allows key administrators to change a multi-Region replica key to a multi-Region primary key. This permission is included in the key policy only when you create a multi-Region primary or replica key.
This doesn't happen when creating it via Terraform.
Both permissions should be added to the policy.
- ✋ I have searched the open/closed issues and my issue is not listed.
Versions
-
Module version [Required]: 1.5.0
-
Terraform version: 1.5.5
-
Provider version(s):
.
├── provider[registry.terraform.io/hashicorp/helm] ~> 2.10.1
├── provider[registry.terraform.io/hashicorp/kubernetes] ~> 2.23.0
├── provider[registry.terraform.io/hashicorp/random] ~> 3.5.1
├── provider[registry.terraform.io/hashicorp/aws] ~> 5.12.0
├── module.cluster_secrets_kms_primary
│ └── provider[registry.terraform.io/hashicorp/aws] >= 3.72.0
└── module.cluster_secrets_kms_replica
└── provider[registry.terraform.io/hashicorp/aws] >= 3.72.0
Reproduction Code [Required]
Steps to reproduce the behavior:
provider "aws" {
region = "eu-west-1"
profile = "profile"
}
provider "aws" {
alias = "replica"
region = "eu-west-2"
profile = "profile"
}
data "aws_caller_identity" "current" {}
module "kms_primary" {
source = "terraform-aws-modules/kms/aws"
description = "Primary"
key_usage = "ENCRYPT_DECRYPT"
deletion_window_in_days = 7
enable_key_rotation = true
multi_region = true
enable_default_policy = false
key_administrators = [data.aws_caller_identity.current.arn]
key_users = [data.aws_caller_identity.current.arn]
}
module "kms_replica" {
source = "terraform-aws-modules/kms/aws"
providers = {
aws = aws.replica
}
description = "Replica"
key_usage = "ENCRYPT_DECRYPT"
deletion_window_in_days = 7
enable_key_rotation = false
create_replica = true
primary_key_arn = module.kms_primary.key_arn
enable_default_policy = false
key_administrators = [data.aws_caller_identity.current.arn]
key_users = [data.aws_caller_identity.current.arn]
}
Expected behavior
The key is replicated in another region.
Actual behavior
Access denied error:
Error: creating KMS Replica Key: AccessDeniedException: User: arn:aws:sts::account:assumed-role/role/session_id is not authorized to perform: kms:ReplicateKey on resource: arn:aws:kms:region:account:key/mrk-key because no resource-based policy allows the kms:ReplicateKey action
status code: 400, request id: id
This issue has been resolved in version 2.0.1 🎉
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.