Hi team,
I have an SFTP user that uses a Sftp_role to put s3 objects inside an encrypted S3 bucket (SSE-KMS / my own KMS key).
I modified the key policy to add another statement :
- sftp_role as principal
- actions =
[
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey",
"kms:DescribeKey"
]
- resource =
[myencryptedBucketArn, myencryptedBucketArn/*]
the sftp user got an access denied when copying files into the bucket
when I moved this policy to put it directly on the sftp_role it worked and user was able to put files :
- new policy under sftp_role :
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey",
"kms:DescribeKey"
],
"Resource": "arn:aws:kms:region:7sj14575037811:key/dafsf-ceasfasf4asf-asfaf-asfasfas123",
"Effect": "Allow"
}
]
}
I'm just wondering why it doesn't work when I put the role as principal on the key policy, but it worked when I added new policy to the sftp_role itself to give him permission to the key.
Kind Regards
sorry, I did not understand the first part of the answer
Sorry! On reading your question again, it sounds like you might be talking about two different types of policy - the KMS key policy, and the IAM role policy. The action will need to be allowed in both of these for it to work.
In the KMS key policy, the resource can be
"*"
, which refers to the KMS key the policy is applied to, and in the IAM policy for the role, the resource will need to be the KMS key, as you already have done.