- 最新
- 投票最多
- 评论最多
The solution here was not obvious from the error messages in CloudTrail or CloudFormation. The hint was that adding '*' to resources for the KMS permissions caused it to work properly. When looking through the CloudTrail logs I found a failed DescribeKey entry for an unknown KMS key ID. I looked through the KMS console until I found the key and it was the key for aws/secretsmanager.
Apparently, if you select the option ManageMasterUserPassword: true
then you not only need to add IAM permissions for secretsmanager:CreateSecret
but you also need to add KMS permissions for kms:DescribeKey
on the aws/secretsmanager KMS key ID arn.
Hi
It looks like that although the KMS ARN is valid CloudFormation can not access it.
When you create RDS in the console RDS directly there are two pieces, First your permission to see they key to select it, and then RDS to call the key and use it.
When you do it via CloudFormation this is not always the case and it appears that CloudFormation is unable to list the key and/or create a grant.
The best thing would be to check CloudTrail for the IAM principle that is being used to see if there are any error statements.
It is probably that you need to grant CloudFormation access to ListKeys and CreateGrant on the KMS key but CloudTrail will tell you more.
I had already given the cloudformation role kms:* permissions to ensure it was not a permissions issue. The specific error returned by CloudTrail was 'KMSKeyNotAccessibleFault'.
Here's the really strange part, and I'm not sure if this is a bug in AWS or not. This works :
Action: - 'kms:DescribeKey' - 'kms:CreateGrant' Resource: - '*'
This doesn't:
Action: - 'kms:DescribeKey' - 'kms:CreateGrant' Resource: - !Sub 'arn:aws:kms:*:${AWS::AccountId}:key/mrk-XXX'
That's good find, glad it worked out! For future reference to others, here's relevant link to be aware: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/rds-secrets-manager.html#rds-secrets-manager-permissions