I'm trying to save encrypted data to DynamoDB with the help of the "Amazon DynamoDB Encryption Client for Java". I also use the Serverless framework to deploy my application (some Lamdba functions using DynamoDB). The AWS Lamdba functions are written in Kotlin.
I have this in my serverless.yml in the iamRoleStatements section (under the provider section):
- Effect: “Allow”
Action:
- “kms:GenerateDataKey”
Resource: “*”
I thought that it should be enough but I'm getting this error when I'm trying to save encrypted data to DynamoDB:
com.amazonaws.services.kms.model.AWSKMSException: User: arn:aws:sts::120102300450:assumed-role/appname-username-eu-west-1-lambdaRole/appname-username-functionname is not authorized to perform: kms:GenerateDataKey on resource: arn:aws:kms:eu-west-1:120102300450:key/12d3f45c-6fff-0007-b123-5bfe5678e012 (Service: AWSKMS; Status Code: 400; Error Code: AccessDeniedException; Request ID: ...)
(the alphanumeric IDs are obfuscated here to not disclose real data)
I also tried to add several other KMS permissions but it didn't help:
- Effect: "Allow"
Action:
- "kms:GenerateDataKey"
- "kms:GenerateDataKeyWithoutPlaintext"
- "kms:CreateAlias"
- "kms:CreateKey"
- "kms:Decrypt"
- "kms:Encrypt"
- "kms:EnableKey"
- "kms:UpdateAlias"
Resource: "*"
So, the whole purpose of the "Amazon DynamoDB Encryption Client for Java" cannot be achieved in this case.
What is missing here?
