Amazon web services KMS密钥策略的有效语法是什么,以避免格式错误的策略文档错误?
我正在尝试创建一个AWS KMS密钥策略,并且一直在尝试让Cloudformation接受密钥策略。我能够找到并阅读的所有内容都表明此策略应该有效,并且在运行时语法正确,但返回格式错误的PolicyDocumentExceptionNull(服务:AWSKMS;状态代码:400; 还有其他人遇到过这个问题吗?如果是的话,对我如何解决这些错误有什么想法或建议吗?我一直被困在这个问题上,脑袋砰砰作响,看不出我遗漏了什么,我的谷歌fu让我失望 代码段:Amazon web services KMS密钥策略的有效语法是什么,以避免格式错误的策略文档错误?,amazon-web-services,amazon-cloudformation,Amazon Web Services,Amazon Cloudformation,我正在尝试创建一个AWS KMS密钥策略,并且一直在尝试让Cloudformation接受密钥策略。我能够找到并阅读的所有内容都表明此策略应该有效,并且在运行时语法正确,但返回格式错误的PolicyDocumentExceptionNull(服务:AWSKMS;状态代码:400; 还有其他人遇到过这个问题吗?如果是的话,对我如何解决这些错误有什么想法或建议吗?我一直被困在这个问题上,脑袋砰砰作响,看不出我遗漏了什么,我的谷歌fu让我失望 代码段: SnowflakeProdKMS: Type:
SnowflakeProdKMS:
Type: AWS::KMS::Key
Properties:
Description: KMS key used by Snowflake to encrypt/decrypt data stored in s3
Enabled: True
EnableKeyRotation: False
KeyPolicy:
Version: 2012-10-17
Id: key-default-1
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS:
- !Sub arn:aws:iam::${AWS::AccountId}:root
Action:
- kms:*
Resource: '*'
- Sid: Enable AWSAdminRole to have full permissions to KMS key
Effect: Allow
Principal:
AWS:
- !Sub arn:aws:iam::${AWS::AccountId}:/role/AWSAdminRole
Action: kms:*
Resource: '*'
- Sid: Allow use of the key by other roles
Effect: Allow
Principal:
AWS:
- !Sub arn:aws:iam::${AWS::AccountId}:role/AWSAdminRole
# - !Sub arn:aws:iam::${AWS::AccountId}:role/SnowflakeAccessRole
Action:
- kms:Encrypt
- kms:Decrypt
- kms:ReEncrypt
- kms:GenerateDataKey
- kms:DescribeKey
Resource: '*'
- Sid: Allow attachment of persistent resources
Effect: Allow
Principal:
AWS:
- !Sub arn:aws:iam::${AWS::AccountId}:role/AWSAdminRole
# - !Sub arn:aws:iam::${AWS::AccountId}:role/SnowflakeAccessRole
- !Sub arn:aws:iam::${AWS::AccountId}:root
Action:
- kms:CreateGrant
- kms:ListGrants
- kms:RevokeGrant
Resource: '*'
Condition:
Bool:
- kms:GrantIsForAWSResource: 'true'
经过多次尝试和错误,并联系其他合作伙伴,我找到了解决上述问题的方法 上面代码段的条件不正确,应按如下格式设置:
Condition:
Bool:
"kms:GrantIsForAWSResource": true
一旦改成这样,政策就没有问题了