AccessDeniedException: Access to KMS is not allowed

So that happened. And I spent much longer than should’ve been necessary to figure it out. What I was trying to do was this:

  • Create a symmetric AWS KMS CMK
  • Use that to generate a couple of asymmetric key pairs
  • Save those key pairs to Secrets Manager, using the above CMK as the encryption key

I’d already set the following permissions:

kms:GenerateDataKeyPairWithoutPlaintext
secretsmanager:DescribeSecret
secretsmanager:CreateSecret

What I had neglected was the fact that Secrets Manager needs permissions to use the CMK. Adding these two helped:

kms:GenerateDataKey
kms:Decrypt

This is documented in https://docs.aws.amazon.com/kms/latest/developerguide/services-secrets-manager.html , under “Authorizing Use of the CMK”.

Leave a comment

Your email address will not be published. Required fields are marked *