0

I am trying to create my Encryption key with cloudformation. So just to test I have a very simple one as follow:

{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Creates a KMS key and attaches a policy similar to the default policy. Also, creates two Roles which allow encryption and decryption under this key.",
    "UserPrincipal": {
        "Type": "String",
        "Default": "user/datadog"
    }
},
"Resources": {
    "DemonstrationKey": {
        "Type": "AWS::KMS::Key",
        "Properties": {
            "KeyPolicy": {
                "Id": "DefaultKmsPolicy",
                "Version": "2012-10-17",
                "Statement": [{
                    "Sid": "Enable IAM User Permissions",
                    "Effect": "Allow",
                    "Principal": {
                        "AWS": [{
                            "Fn::Join": [
                                ":", [
                                    "arn:aws:iam:",
                                    {
                                        "Ref": "AWS::AccountId"
                                    },
                                    "root"
                                ]
                            ]
                        }]
                    },
                    "Action": "kms:*",
                    "Resource": "*"
                }]
            }
        }
    }
},
"Outputs": {
    "KeyID": {
        "Description": "Key ID",
        "Value": {
            "Ref": "DemonstrationKey"
        }
    }
}

}

And it works fine but this is not what I want. Instead I want to attach the already existing policy to it for example sth like this:

{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Creates a KMS key and attaches a policy similar to the default policy. Also, creates two Roles which allow encryption and decryption under this key.",
    "UserPrincipal": {
        "Type": "String",
        "Default": "user/datadog"
    }
},
"Resources": {
    "DemonstrationKey": {
        "Type": "AWS::KMS::Key",
        "Properties": {
            "KeyPolicy": "arn:aws:iam::******:policy/testtestpol1"
        }
    }
},
"Outputs": {
    "KeyID": {
        "Description": "Key ID",
        "Value": {
            "Ref": "DemonstrationKey"
        }
    }
}
 }

But this does not work and I get the following error:

MalformedPolicyDocumentException

Can anyone help me with that. Is it doable at all?

Ry-
  • 218,210
  • 55
  • 464
  • 476
Hamed Minaee
  • 2,480
  • 4
  • 35
  • 63
  • Is this a valid ARN? `"arn:aws:iam::******:policy/testtestpol1"` (answer: no) – kdgregory Sep 20 '17 at 12:09
  • 1
    Well it is but when I put it here I replace the actual number with *** – Hamed Minaee Sep 20 '17 at 12:10
  • For mor einfo I already created testtestpol1 in my account – Hamed Minaee Sep 20 '17 at 12:14
  • OK, my bad for just responding to the first thing that looked wrong. The actual problem is that the key policy is [not a normal policy document](http://docs.aws.amazon.com/kms/latest/developerguide/control-access-overview.html#managing-access): it is specific to the key, and is required in addition to any policies that grant access to users/roles. The doc [here](http://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam) shows a minimal key policy that would then allow IAM policies to enable access to the key. – kdgregory Sep 20 '17 at 12:35

0 Answers0