DEVHIDE
Login Or Sign up

Terraform Error: KMS Key policy MalformedPolicyDocumentException: The new key policy will not allow you to update the key policy in the future

221 Views Asked by At

I keep getting this error but I can't seem to spot what is wrong with my policy. Can someone help? This is my aws_kms_key_policy?

resource "aws_kms_key_policy" "kms_key" {
  key_id = aws_kms_key.kms_key.key_id
    
  policy = jsonencode({
    Id      = "kms-key-policy",
    Statement = [
       {
         Effect = "Allow",
         Principal = {
           Service = "states.amazonaws.com"
         },
         Action = [
           "kms:Encrypt",
           "kms:Decrypt",
           "kms:ReEncrypt",
           "kms:GenerateDataKey",
           "kms:DescribeKey",
           "kms:PutKeyPolicy",
           "kms:CreateGrant"
         ],
         Resource = aws_kms_key.kms_key.arn
       }
     ]
  })
}

I can't seem to spot what is incorrect with my policy.

Update

I've now added the root account to my policy:

resource "aws_kms_key_policy" "kms_key" {
  key_id = aws_kms_key.kms_key.key_id

  policy = jsonencode({
    Id = "kms-key-policy",
    Statement = [
      {
        Sid    = "Allow administration of the key",
        Effect = "Allow",
        Principal = {
          "AWS" = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
        },
        Action = [
          "kms:Create*",
          "kms:Describe*",
          "kms:Enable*",
          "kms:List*",
          "kms:Put*",
          "kms:Update*",
          "kms:Revoke*",
          "kms:Disable*",
          "kms:Get*",
          "kms:Delete*",
          "kms:ScheduleKeyDeletion",
          "kms:CancelKeyDeletion",
        ],
        Resource = "*"
      },
      {
        Effect = "Allow",
        Principal = {
          Service = "states.amazonaws.com"
        },
        Action = [
          "kms:Encrypt",
          "kms:Decrypt",
          "kms:ReEncrypt",
          "kms:GenerateDataKey",
          "kms:DescribeKey",
          "kms:CreateGrant"
        ],
        Resource = aws_kms_key.kms_key.arn,
      }
    ]
  })
}

It first applied fine but now I'm getting the following error if I try to redeploy the same code even though no changes have been made:

│ Error: attaching KMS Key policy (7f01f1d8-2b2f-4d23-97df-34e65401dfa8): updating policy: waiting for completion: timeout while waiting for state to become 'TRUE' (last state: 'FALSE', timeout: 10m0s)

When I first applied it after adding the root account user it was applied successfully. Is there a reason why this I'm getting this error?

amazon-web-services terraform terraform-provider-aws amazon-kms
Original Q&A
2

There are 2 best solutions below

0
Mark B On

This statement only allows the principal states.amazonaws.com to ever do anything with the key ever again. It blocks you, the owner of the key, from ever modifying the key in the future. That's why it is rejecting the policy.

11
Marko E On

I think you also want to allow the policy to be updated by a user from your AWS account. Right now there is no way to update the policy as you are only allowing AWS service to perform some actions. To fix this, I would add something like:

resource "aws_kms_key_policy" "kms_key" {
  key_id = aws_kms_key.kms_key.key_id

  policy = jsonencode({
    Id      = "kms-key-policy",
    Version = "2012-10-17",
    Statement = [
      {
        Sid = "Allow administration of the key",
        Effect = "Allow",
        Principal = {
          "AWS" = "arn:aws:iam::<your AWS account ID>:user/<user name>"
        },
        Action = [
          "kms:Create*",
          "kms:Describe*",
          "kms:Enable*",
          "kms:List*",
          "kms:Put*",
          "kms:Update*",
          "kms:Revoke*",
          "kms:Disable*",
          "kms:Get*",
          "kms:Delete*",
          "kms:ScheduleKeyDeletion",
          "kms:CancelKeyDeletion"
         ],
         Resource = "*"
      },
      {
        Effect = "Allow",
        Principal = {
          Service = "states.amazonaws.com"
        },
        Action = [
          "kms:Encrypt",
          "kms:Decrypt",
          "kms:ReEncrypt",
          "kms:GenerateDataKey",
          "kms:DescribeKey",
          "kms:CreateGrant"
        ],
        Resource = aws_kms_key.kms_key.arn
      }
    ]
  })
}

This will allow only the user that you specify to administer the KMS key. If you want to allow the account root user to administer the key, you can use the following:

Principal = {
  "AWS" = "arn:aws:iam::<your AWS account ID>:root"
}

As per the AWS documentation, the "Version" element is required:

2012-10-17. This is the current version of the policy language, and you should always include a Version element and set it to 2012-10-17.

If you have a different identity that needs to administer the key, you can see more examples in the re:Post article.

Related Questions in AMAZON-WEB-SERVICES

Related Questions in TERRAFORM

Related Questions in TERRAFORM-PROVIDER-AWS

Related Questions in AMAZON-KMS

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Popular Questions

.

Copyright © 2021 Jogjafile Inc.