6

Is it possible to get a KMS Key ARN using CloudFormation using an alias? I want to give specific permissions to a Key in my AWS Account.

Something like the following?

  - Effect: Allow
    Action: kms:Decrypt
    Resource:
      - 'Fn::GetAtt': 
        - 'alias/someAliasOfAKMSKey'
        - 'arn'
Claudiordgz
  • 3,023
  • 1
  • 21
  • 48

1 Answers1

11

You can do something like this:

- Effect: Allow
  Action:
  - kms:Decrypt
  Resource:
  - !Sub 'arn:aws:kms:${AWS::Region}:${AWS::AccountId}:key/someKeyNameOfAKMSKey'
Deiv
  • 3,000
  • 2
  • 18
  • 30
  • This is greats but it won't let you decrypt the key itself, only an alias, then you would need to use SSM aws-sdk to get the key from that alias using the SDK but not the key. Please refer to https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=2ahUKEwioi57B_5bgAhVFZawKHR1SDfUQFjAAegQIChAB&url=https%3A%2F%2Fforums.aws.amazon.com%2Fthread.jspa%3FthreadID%3D173540&usg=AOvVaw15arjQsWfc9nzY_YAKYXLn I've done it via terraform, but I wish there was a way to do it via CloudFormation – Claudiordgz Jan 31 '19 at 02:45
  • 1
    Ah I see, if you run into that you can simply add the key name as a resource, in the same way you do with the alias. I edited the answer with the option (I actually had to do this as well for a personal project, both alias and key in the resource, but I wasn't sure that was something you would need) – Deiv Jan 31 '19 at 14:15
  • 3
    I think this answer is misleading, since you cannot use aliases in kms:Decrypt policy: https://stackoverflow.com/a/53330312 – yurez Aug 27 '20 at 15:19
  • Thanks for the point, I edited the answer so that it removes any confusion – Deiv Sep 03 '20 at 21:17