How can I resolve the AWS KMS key policy error "Policy contains a statement with one or more invalid principals"?

3 minute read

I tried to modify my AWS Key Management Service (AWS KMS) key policy. However, I received an error in the AWS Management Console similar to "PutKeyPolicy request failed MalformedPolicyDocumentException - Policy contains a statement with one or more invalid principals."

Short description

The PutKeyPolicy AWS KMS API call request fails when the specified key policy isn't syntactically or semantically correct. The AWS KMS key policy doesn't contain the ARN. Instead, the key policy contains a principal with a unique ID that's similar to AIDACKCEVSQ6C2EXAMPLE.


JSON syntax

Confirm that the JSON policy document resource type is valid. To troubleshoot JSON syntax errors, paste the JSON policy document into a JSON formatting tool, such as the JSON Beautifier on the JSON Beautifier website. Remove any unnecessary characters, and add any missed characters. Remove duplicate JSON policy elements and SID values.

Principal elements

In the principal element in the JSON policy, confirm that the AWS Identity and Access Management (IAM) identity exists and has a valid ARN.

Note: You can't use a wildcard in the part of the ARN that specifies the resource type.

When you create IAM identities, friendly names are used, such as Bob or Developers. For security purposes, these IAM identities are also assigned a unique identifier, such as AIDACKCEVSQ6C2EXAMPLE. Remove orphaned unique IDs from the key policy. For more information, see Key policies in AWS KMS.

Note: If the AWS KMS key policy has permissions to another account or principal, then the key policy might not be in effect. The key policy is in effect only in the AWS Region that contains the AWS KMS key.

AWS services

If an AWS service is listed as the principal, then make sure that AWS KMS supports the service. The principal must be the IAM identity. Also, you must use the kms:ViaService condition key for the AWS services that make the requests for the IAM identity.

Because not all AWS services directly call AWS KMS, check if the AWS service that you're using directly calls AWS KMS. For example, an AWS service such as Amazon Elastic Compute Cloud (Amazon EC2) makes calls for a principal in the account. AWS services that make direct calls to AWS KMS must have the service principal in the Principal element.

For more information, see Services that support the kms:ViaService condition key.

Opt-in AWS Region

The account that you share the AWS KMS keys with must opt in to the AWS Region within the recipient account. Otherwise, the KMS keys aren't valid in that Region.

Make sure that the Region is activated in the recipient account. You can also share another AWS KMS key in a Region that's activated in the AWS account and recipient account. For more information, see Specify which AWS Regions your account can use.

Related information

Changing a key policy

AWS OFFICIALUpdated 6 months ago