So that happened. And I spent much longer than should’ve been necessary to figure it out. What I was trying to do was this:
- Create a symmetric AWS KMS CMK
- Use that to generate a couple of asymmetric key pairs
- Save those key pairs to Secrets Manager, using the above CMK as the encryption key
I’d already set the following permissions:
kms:GenerateDataKeyPairWithoutPlaintext
secretsmanager:DescribeSecret
secretsmanager:CreateSecret
What I had neglected was the fact that Secrets Manager needs permissions to use the CMK. Adding these two helped:
kms:GenerateDataKey
kms:Decrypt
This is documented in https://docs.aws.amazon.com/kms/latest/developerguide/services-secrets-manager.html , under “Authorizing Use of the CMK”.