i've been trying to dynamically add Principal into the AWS KMS Policy statement via aws kms cli and I'm dead serious AWS docs are one of the worst docs ever!
anyone knows how to programmatically (using aws kms or any other alternative) to add Principal into the policy statement below ?
{
"Version": "2012-10-17",
"Id": "key-consolepolicy-3",
"Statement": [
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {
"AWS": [
// I need to programatically add the ARN role here
]
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": [
// I need to programatically add the ARN role here
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": [
// I need to programatically add the ARN role here
]
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
]
}
It is not possible to add new principals to resource policies using CLI.
You can however replace a key policy with a new version using put-key-policy command.
The best way to add principals dynamically is to generate key policies by leveraging code generation techniques. I usually use Python with Jinja2.
The generated policy can be attached to a CMK by using the following command:
aws kms put-key-policy \
--policy-name default \
--key-id <kms-key-id> \
--policy file://new_key_policy.json