How do I resolve the error "The new key policy will not allow you to update the key policy in the future" when I try to create an AWS KMS key using AWS CloudFormation?
When I create an AWS KMS key and define an AWS Key Management Service (AWS KMS) key policy using AWS CloudFormation, the AWS KMS key creation fails. Then, I get the following error message: "The new key policy will not allow you to update the key policy in the future."
Short description
AWS KMS performs safety checks when a key policy is created. One safety check confirms that the principal in the key policy has the required permissions to make the CreateKey API and PutKeyPolicy API. This check eliminates the possibility of the AWS KMS key becoming unmanageable, which means that you can't change the key policy or delete the key.
Important: Be sure that the key policy that you create allows the current user to administer the AWS KMS key.
Resolution
When you create an AWS CloudFormation stack, then an AWS Identity and Access Management (IAM) user or role is used to make the CreateStack API call. This user is also used create resources specified in the AWS CloudFormation template.
1. When you create an AWS KMS key using AWS CloudFormation, choose the same IAM user or role that's the key administrator principal for the AWS KMS key.
In the following example, the AWS CloudFormation stack is created by the IAM user arn:aws:iam::123456789012:user/Alice. The principal is designated as the key administrator. The IAM user "Alice" is now allowed to modify the key policy after the key policy is created.
"Type" : "AWS::KMS::Key", "Properties" : { "Description" : "A sample key", "KeyPolicy" : { "Version": "2012-10-17", "Id": "key-default-1", "Statement": [ { "Sid": "Allow administration of the key", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:user/Alice" }, "Action": [ "kms:Create*", "kms:Describe*", "kms:Enable*", "kms:List*", "kms:Put*", "kms:Update*", "kms:Revoke*", "kms:Disable*", "kms:Get*", "kms:Delete*", "kms:ScheduleKeyDeletion", "kms:CancelKeyDeletion" ], "Resource": "*" }, { "Sid": "Allow use of the key", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:user/Bob" }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*" } ] } } }
2. Set the principal key administrator, or set the AWS account root user as the principal key administrator.
To set the principal key administrator, use the Amazon Resource Name (ARN):
If your AWS CloudFormation stack is created by a SAML or web federated user account, set the principal as the user's assumed role for the ARN. For example:
"Principal": { "AWS": "arn:aws:sts::123456789012:assumed-role/FederatedAccess/FederatedUsername" }
Note: The name of the IAM role is FederatedAccess, and the name of the federated user is FederatedUsername.
If the AWS CloudFormation service role is used to create the stack, then set the principal as the service role ARN. For example:
"Principal": { "AWS": "arn:aws:iam::123456789012:role/ServiceRoleName” }
Note: The name of the AWS CloudFormation service role is ServiceRoleName.
To set the AWS account root user as the principal key administrator, see the following example:
"Principal": { "AWS": "arn:aws:iam::123456789012:root" }
Note: If the principal key administrator is set to the root ARN, be sure you have the correct permissions. The IAM user, role, or service role creating the AWS CloudFormation stack must have the IAM permissions to make the CreateKey and PutKeyPolicy API calls.
Related information
Relevant content
- asked 2 years ago
- Accepted Answerasked a year ago
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated 2 days ago
