So that happened. And I spent much longer than should’ve been necessary to figure it out. What I was trying to do was this:
- Create a symmetric AWS KMS CMK
- Use that to generate a couple of asymmetric key pairs
- Save those key pairs to Secrets Manager, using the above CMK as the encryption key
I’d already set the following permissions:
What I had neglected was the fact that Secrets Manager needs permissions to use the CMK. Adding these two helped:
This is documented in https://docs.aws.amazon.com/kms/latest/developerguide/services-secrets-manager.html , under “Authorizing Use of the CMK”.