Amazon web services 由于访问被拒绝,ECS容器无法使用AWS KMS密钥
初始状态: 我想在ECS容器中使用KMS密钥解密值。为此,任务定义有执行角色学习,它引用了以下角色RoleECSTaskContainer。角色和KMS键的设置如下所示:Amazon web services 由于访问被拒绝,ECS容器无法使用AWS KMS密钥,amazon-web-services,amazon-cloudformation,amazon-ecs,aws-kms,Amazon Web Services,Amazon Cloudformation,Amazon Ecs,Aws Kms,初始状态: 我想在ECS容器中使用KMS密钥解密值。为此,任务定义有执行角色学习,它引用了以下角色RoleECSTaskContainer。角色和KMS键的设置如下所示: KMSKeyEncryption: Type: AWS::KMS::Key Properties: Enabled: true EnableKeyRotation: false KeyPolicy: Ve
KMSKeyEncryption:
Type: AWS::KMS::Key
Properties:
Enabled: true
EnableKeyRotation: false
KeyPolicy:
Version: 2012-10-17
Statement:
- Principal:
AWS:arn of the users/roles who are allowed to manage this key
Effect: Allow
Action:
- kms:Create*
- kms:Describe*
- kms:Enable*
- kms:List*
- kms:Put*
- kms:Update*
- kms:Revoke*
- kms:Disable*
- kms:Get*
- kms:Delete*
- kms:ScheduleKeyDeletion
- kms:CancelKeyDeletion
- kms:Encrypt*
- kms:Decrypt*
Resource: "*"
- Principal:
AWS: ecs-tasks.amazonaws.com
Effect: Allow
Action:
- kms:Decrypt*
Resource: "*"
PolicyDecryptKms:
Type: AWS::IAM::ManagedPolicy
Properties:
ManagedPolicyName: DecryptKmsPolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: AllowDecryptValues
Effect: Allow
Action:
- kms:Decrypt*
Resource: !GetAtt KMSKeyEncryption.Arn
RoleECSTaskContainer:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2008-10-17
Statement:
- Effect: Allow
Principal:
Service: ecs-tasks.amazonaws.com
Action: sts:AssumeRole
RoleName: ECSTaskContainerRole
ManagedPolicyArns:
- !Ref PolicyDecryptKms
Principal: "*"
Effect: Allow
Action:
- kms:Decrypt*
Resource: "*"
当容器尝试使用KMS密钥解密值时,会出现以下异常:
User: arn:aws:sts::123123123:assumed-role/ECSTaskContainerRole/bc9a5782-9sf8-312a-8z76-0ef29a6e5631 is not authorized to perform: kms:Decrypt on resource: arn:aws:kms:eu-west-1:123123123:key/8c9h2f44-bjvb-4l2d-fkj11-fjdahjEr564182
经过一些调查,我发现如果我稍微更改一下密钥策略以允许所有主体按如下方式解密,它就会开始工作:
KMSKeyEncryption:
Type: AWS::KMS::Key
Properties:
Enabled: true
EnableKeyRotation: false
KeyPolicy:
Version: 2012-10-17
Statement:
- Principal:
AWS:arn of the users/roles who are allowed to manage this key
Effect: Allow
Action:
- kms:Create*
- kms:Describe*
- kms:Enable*
- kms:List*
- kms:Put*
- kms:Update*
- kms:Revoke*
- kms:Disable*
- kms:Get*
- kms:Delete*
- kms:ScheduleKeyDeletion
- kms:CancelKeyDeletion
- kms:Encrypt*
- kms:Decrypt*
Resource: "*"
- Principal:
AWS: ecs-tasks.amazonaws.com
Effect: Allow
Action:
- kms:Decrypt*
Resource: "*"
PolicyDecryptKms:
Type: AWS::IAM::ManagedPolicy
Properties:
ManagedPolicyName: DecryptKmsPolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: AllowDecryptValues
Effect: Allow
Action:
- kms:Decrypt*
Resource: !GetAtt KMSKeyEncryption.Arn
RoleECSTaskContainer:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2008-10-17
Statement:
- Effect: Allow
Principal:
Service: ecs-tasks.amazonaws.com
Action: sts:AssumeRole
RoleName: ECSTaskContainerRole
ManagedPolicyArns:
- !Ref PolicyDecryptKms
Principal: "*"
Effect: Allow
Action:
- kms:Decrypt*
Resource: "*"
但这不是定义密钥策略的安全方法,因为我允许每个人使用这个KMS密钥解密值
我假设我使用ecs tasks.amazonaws.com作为主体是错误的。这是正确的吗?如果是,在这种情况下我应该使用哪种服务?有两种方法可以控制对KMS密钥的访问:
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::111122223333:root"},
"Action": "kms:*",
"Resource": "*"
}
因此,这取决于您希望如何管理您的策略。为了简单起见,我通常更喜欢KMS关键策略。因此,我只需将密钥策略设置为授予角色kms:decrypt权限,并删除托管IAM策略
KMSKeyEncryption:
Type: AWS::KMS::Key
Properties:
KeyPolicy:
Version: 2012-10-17
Statement:
...
- Principal:
AWS: !GetAtt RoleECSTaskContainer.Arn
Effect: Allow
Action:
- kms:Decrypt*
Resource: "*"
RoleECSTaskContainer:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2008-10-17
Statement:
- Effect: Allow
Principal:
Service: ecs-tasks.amazonaws.com
Action: sts:AssumeRole
RoleName: ECSTaskContainerRole
那么请把他的答案标为“正确”答案