我在 Lambda 函数中有以下代码:
var ssmConfig = new AmazonSimpleSystemsManagementConfig
{
RegionEndpoint = RegionEndpoint.APSoutheast2
};
using (var ssmClient = new AmazonSimpleSystemsManagementClient(ssmConfig))
{
var myParameter = await ssmClient.GetParameterAsync(
new GetParameterRequest
{
Name = "myParameter",
WithDecryption = true
});
Lambda 函数具有以下策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:DescribeParameters",
"ssm:GetParameters",
"ssm:GetParameter"
],
"Resource": "arn:aws:ssm:ap-southeast-2:23314131242:parameter/myParameters/*"
},
{
"Effect": "Allow",
"Action": [
"kms:DescribeKey",
"kms:GenerateDataKey*",
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:ap-southeast-2:23314131242:key/myKey"
]
}
]
}
但是我收到以下错误:
Amazon.SimpleSystemsManagement.AmazonSimpleSystemsManagementException: The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access
使用 IAM 策略模拟器,我已经验证了 Lambda 的角色具有预期的权限。
我是否需要以某种方式指定 CMK 别名?还有什么问题?
答案1
我发现我还需要将 Lambda 的角色添加为 CMK 的“关键用户”。请参阅https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-users了解详情。
这可以通过控制台完成,通过编辑 CMK,然后向下滚动到密钥用户部分。