aws sso user can't use kms:GenerateDataKey

Question

I have an sso user, this user assume a role that has these rights :

{
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:GetBucketLocation",
                "s3:ListBucket",
                "s3:CreateBucket",
                "s3:ListBucketVersions",
                "s3:GetAccountPublicAccessBlock",
                "s3:GetBucketPublicAccessBlock",
                "s3:GetBucketPolicyStatus",
                "s3:GetBucketAcl",
                "s3:ListAccessPoints"
            ],
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::terraform-state-sso-iam*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "kms:*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::terraform-state-sso-iam/*",
                "arn:aws:s3:::terraform-state-sso-iam*/*"
            ]
        },
        {
            "Effect": "Deny",
            "Action": [
                "s3:DeleteBucket"
            ],
            "Resource": [
                "arn:aws:s3:::terraform-state-sso-iam*"
            ]
        }

This user then create a kms key which has this rights :

{
"Id": "key-consolepolicy-3",
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "Enable IAM User Permissions",
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::1111111111:root"
        },
        "Action": "kms:*",
        "Resource": "*"
    },
    {
        "Sid": "Allow access for Key Administrators",
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::11111111:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_sso-iam-permission_323b0ee84d7a8613"
        },
        "Action": [
            "kms:Create*",
            "kms:Describe*",
            "kms:Enable*",
            "kms:List*",
            "kms:Put*",
            "kms:Update*",
            "kms:Revoke*",
            "kms:Disable*",
            "kms:Get*",
            "kms:Delete*",
            "kms:TagResource",
            "kms:UntagResource"
        ],
        "Resource": "*"
    },
    {
        "Sid": "Allow use of the key",
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::1111111111:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_sso-iam-permission_323b0ee84d7a8613"
        },
        "Action": [
            "kms:Encrypt",
            "kms:Decrypt",
            "kms:ReEncrypt*",
            "kms:GenerateDataKey*",
            "kms:DescribeKey"
        ],
        "Resource": "*"
    },
    {
        "Sid": "Allow attachment of persistent resources",
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::1111111111:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_sso-iam-permission_323b0ee84d7a8613"
        },
        "Action": [
            "kms:CreateGrant",
            "kms:ListGrants",
            "kms:RevokeGrant"
        ],
        "Resource": "*",
        "Condition": {
            "Bool": {
                "kms:GrantIsForAWSResource": "true"
            }
        }
    }
]

}

Then i create an S3 bucket with encryption enabled using by default the kms key i just created. But when i try to upload a file to the bucket this is the error i have :

AccessDenied: User:
arn:aws:sts::11111111111:assumed-role/AWSReservedSSO_sso-iam- 
permission_323b0ee84d7a8613/me@mydomain.com
is not authorized to perform: kms:GenerateDataKey on resource:
arn:aws:kms:us-east-1:11111111:key/4c786426-fg58-sfg7-45ft-sde5f45sd6
with an explicit deny in an identity-based policy

Am i missing some rights somewhere ?

Edit:

As the first comment suggest i did remove this :

{
        "Action": "*",
        "Condition": {
            "NotIpAddress": {
                "aws:SourceIp": [
                    "11.11.11.11/32"
                ]
            }
        },
        "Effect": "Deny",
        "Resource": "*"
    },

and now it's working, but it's strange that all the other action works and only the upload fail, because my ip didn't change the whole time

`an explicit deny` - an administrator or another policy attached to your IAM user is blocking access; you must **remove** the deny before any allows take effect. — Ermiya Eskandary, May 10 '22 at 10:24
I edited my answer thanks to you we are closer to the solution — nomopo, May 10 '22 at 10:39

score 0 · Answer 1 · answered May 10 '22 at 16:41

not authorized to perform: kms:GenerateDataKey on resource: arn:aws:kms:us-east-1:11111111:key/4c786426-fg58-sfg7-45ft-sde5f45sd6 with an explicit deny in an identity-based policy

Explicit deny policies always override any & all allow IAM policies.

An administrator or another policy attached to your IAM user is denying access to one of the following:

kms:GenerateDataKey in general
arn:aws:kms:us-east-1:11111111:key/4c786426-fg58-sfg7-45ft-sde5f45sd6 in general
performing kms:GenerateDataKey on arn:aws:kms:us-east-1:11111111:key/4c786426-fg58-sfg7-45ft-sde5f45sd6

Find & remove the deny policy so that any allow policies can actually take effect.

aws sso user can't use kms:GenerateDataKey

1 Answers1