11

Running terraform for creatind a key policy in AWS KMS I am getting the error:

  • aws_kms_key.dyn_logs_server_side_cmk: MalformedPolicyDocumentException: The new key policy will not allow you to update the key policy in the future. status code: 400, request id: e34567896780780

There are many posts about this problem but nothing helped. So, my kms.tf file is as follows:

provider "aws" {
    access_key = "${var.aws_access_key}"
    secret_key = "${var.aws_secret_key}"
    region     = "${var.aws_region}"
} 
resource "aws_kms_key" "dyn_logs_server_side_cmk" {
    description = "dyn-logs-sse-cmk-${var.environment}"
    enable_key_rotation = "true"
    policy = <<EOF
{
    "Version":"2015-11-17",
    "Statement":[
    {
        "Sid": "Enable IAM User Permissions",
        "Effect": "Allow",
        "Principal": {"AWS": "arn:aws:iam::${var.account_id}:root"},
        "Action": "kms:*",
        "Resource": "*"
    }
    ]
    }EOF
}

That’s what I see in the output after

terraform apply "dyn-vpc.plan"

aws_kms_key.dyn_logs_server_side_cmk: Creating...
arn:                 "" => "<computed>"
description:         "" => "dyn-logs-server-dyn"
enable_key_rotation: "" => "true"
is_enabled:          "" => "true"
key_id:              "" => "<computed>"
key_usage:           "" => "<computed>"
policy:              "" => "{\n   \"Version\":\"2015-11-17\",\n   \"Statement\":[\n      {\n         \"Sid\": \"Enable IAM User Permissions\",\n         \"Effect\": \"Allow\",\n         
\"Principal\": {\"AWS\": \"arn:aws:iam::12345678901234:root\"},\n         \"Action\": \"kms:*\",\n         \"Resource\": \"*\"\n      }\n   ]\n}\n"

aws_kms_key.dyn_logs_server_side_cmk: Still creating... (10s elapsed)
aws_kms_key.dyn_logs_server_side_cmk: Still creating... (20s elapsed)
Error applying plan:
1 error(s) occurred:
* aws_kms_key.dyn_logs_server_side_cmk: 1 error(s) occurred:
* aws_kms_key.dyn_logs_server_side_cmk:
MalformedPolicyDocumentException: The new key policy will not allow
you to update the key policy in the future.
Alex
  • 7,007
  • 18
  • 69
  • 114
  • 1
    I think your Key Policy JSON is missing a closing curly brace for your statement object. – nicholas.hauschild Jan 29 '18 at 20:48
  • Missed this when formatted. The JSON was OK, otherwise it will be a different error – Alex Jan 29 '18 at 21:19
  • 2
    Is that your actual Terraform for the key policy or have you truncated the IAM actions on it? And is the `account_id` definitely the same as the user that is creating the key? It might help to use the [`aws_caller_identity` data source](https://www.terraform.io/docs/providers/aws/d/caller_identity.html) to force the use of the caller's account ID programatically as well. – ydaetskcoR Jan 30 '18 at 14:31
  • Any idea why you used `Action": "kms:*` ? – prime Jul 04 '18 at 08:28
  • @prime If their usage is anything like mine, it's because they were following an example that did it that way. Any suggestions? – Lyle Aug 06 '21 at 23:06

2 Answers2

5

In my case the account id was correct but the user creating the key wasn't included in the Enable IAM User Permissions statement. I had to do this

resource "aws_kms_key" "dyn_logs_server_side_cmk" {
    description = "dyn-logs-sse-cmk-${var.environment}"
    enable_key_rotation = "true"
    policy = <<EOF
{
    "Version":"2015-11-17",
    "Statement":[
    {
        "Sid": "Enable IAM User Permissions",
        "Effect": "Allow",
        "Principal": {
            "AWS": [
                 "arn:aws:iam::${var.account_id}:root",
                 "arn:aws:iam::${var.account_id}:user/system/terraform-user" 
             ]
        },
        "Action": "kms:*",
        "Resource": "*"
    }
    ]
    }EOF
}
gary69
  • 3,620
  • 6
  • 36
  • 50
  • Yes, exactly. I had the same error and spent couple of hours because I didn't consider what IAM user I had been using in terraform deployment. – Perfect Feb 04 '22 at 06:12
2

Basically, the comment from @ydaetskcoR was right. The account_id in policy was incorrect, and this resulted in the error. The MalformedPolicyDocumentException is not really informative, one needs to find a real reason

Alex
  • 7,007
  • 18
  • 69
  • 114