Amazon web services Can';t使用ansible访问aws中的特定kms密钥
我在aws中有一个KMS,我需要从ansible脚本获取数据。脚本如下:Amazon web services Can';t使用ansible访问aws中的特定kms密钥,amazon-web-services,ansible,amazon-kms,Amazon Web Services,Ansible,Amazon Kms,我在aws中有一个KMS,我需要从ansible脚本获取数据。脚本如下: name: encryption key hosts: localhost connection: local tasks: - name: get kms community.aws.aws_kms_info: filters: "tag:Name": kms-key 将在KMS中添加一个标记,标记名为Name=KMS ke
name: encryption key
hosts: localhost
connection: local
tasks:
- name: get kms
community.aws.aws_kms_info:
filters:
"tag:Name": kms-key
将在KMS中添加一个标记,标记名为Name=KMS key,密钥为SYMMETRIC\u默认类型。我听到一个错误说
ClientError: An error occurred (AccessDeniedException) when calling the DescribeKey operation: User: arn:aws:iam::1234567:user/devRange is not authorized to perform: kms:DescribeKey on resource: arn:aws:kms:us-east-2:1234567:key/34343423444545
问题是,错误中指定的资源arn不是我要从中获取信息的kms密钥。标记(kms键)位于另一个kms中。它是否需要拥有帐户中所有kms密钥的权限,以便我从特定kms检索数据。
kms:DescribeKey
权限是为从kms检索数据的用户授予的。kms:DescribeKey
是关键策略权限,而不是IAM。检查此特定密钥上的密钥策略是否允许此操作: