Give persmission to use AWS KMS key to another account
Question
I created KMS key by using KMS client (PHP).
`new KmsClient([
'credentials' => [
'key' => $awsKey,
'secret' => $awsSecret,
],
'version' => 'latest',
'region' => 'us-east-1',
]);`
Now I want to share this key with some other users. I have their Account IDs,
How can I do that, by using RDS api?
Nothing works. I'm also unable to find any examples in GitHub examples.
1 answers
solution1
1 2023-01-27 12:09:42
You need to create a policy to give permission to another account access it. Check here for more details. 444455556666 is other account's id.
{
"Sid": "Allow an external account to use this KMS key",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::444455556666:root"
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.
Related Question
AWS - Can a KMS replica key be created in a different account from the primary
KMS Not found Exception in AWS Cross Account S3 PutObject encrypted by AWS Managed Key
How AWS KMS determine which key to use when decrypt?
cross account access for decrypt object with default aws/S3 KMS key
How to use existing kms key and subnet in aws cdk when deploying to multiple accounts
How to use the private and public key generated from Aws Kms GenerateDataKeyPair method to sign and verify a message
aws cli: how to find kms key id?
Grant permission to use specific KMS key in GCP
s3 cross account access with default kms key
How to use AWS AppSync in one account access DynamoDB in another account?
Related Tags