AccessDeniedException: Access to KMS is not allowed

So that happened. And I spent much longer than should’ve been necessary to figure it out. What I was trying to do was this:

  • Create a symmetric AWS KMS CMK
  • Use that to generate a couple of asymmetric key pairs
  • Save those key pairs to Secrets Manager, using the above CMK as the encryption key

I’d already set the following permissions:


What I had neglected was the fact that Secrets Manager needs permissions to use the CMK. Adding these two helped:


This is documented in , under “Authorizing Use of the CMK”.

Leave a comment

Your email address will not be published. Required fields are marked *