How do I get AWS cross-account KMS keys to work?

Your key, role and policies are set up correctly. When you call describe-key on a Customer Master Key (CMK) that is on a different AWS account, you have to specify the key ARN or alias ARN in the value of the key-id parameter.

From the official docs:

To perform this operation on a CMK in a different AWS account, specify the key ARN or alias ARN in the value of the KeyId parameter.

That said, if you do something like below, it will work:

aws> kms describe-key --key-id=arn:aws:kms:us-west-2:111:key/abc-def

How do I get AWS cross-account KMS keys to work?

Tags:

Amazon Web Services

Amazon Iam

Aws Kms

Related

Recent Posts