An error occurred (NotAuthorizedException) when calling the UpdateUserPool operation

Question

An error occurred (NotAuthorizedException) when calling the UpdateUserPool operation: Caller needs to have kms:CreateGrant permission on provided KMS Key

aws cognito-idp update-user-pool --user-pool-id {user_pool_id} --lambda-config "CustomEmailSender={LambdaVersion=V1_0,LambdaArn= lambda-arn },KMSKeyID=key-arn"

docs

score 1 · Answer 1 · answered Jul 21 '21 at 13:08

There is likely one of two issues going on:

You have the default KMS Key policy applied to the key-arn KMS key, but have not assigned kms:CreateGrant permission to an IAM policy applied to the user/principal running that command.
You have not applied kms:CreateGrant permission for the principal running the command in the KMS key policy for the key-arn KMS key.

An error occurred (NotAuthorizedException) when calling the UpdateUserPool operation

1 Answers1