Amazon Kinesis에서 메시지를 읽을 때 KMSAccessDeniedException이 발생했습니다.

tag-icon tag-icon encryption java streaming amazon-web-services
Amazon Kinesis에서 메시지를 읽을 때 KMSAccessDeniedException이 발생했습니다.

Kinesis 스트림의 Java 애플리케이션에서 메시지를 사용하려고 시도했는데 해당 스트림은 다른 AWS 계정이 소유하고 있습니다.

메시지를 읽으면 다음 오류가 발생합니다.

com.amazonaws.services.kinesis.model.AmazonKinesisException: User ARTRIOONHGFA4UYTVBSF3:crossAccountTest is not authorized to decrypt records in stream 123456123456:stream-name:1234567890 (Service: AmazonKinesis; Status Code: 400; Error Code: KMSAccessDeniedException; Request ID: 00000000-0000-0000-0000-0000000000)
 at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1579)
 at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1249)
 at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1030)
 at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:742)
 at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:716)
 at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:699)
 at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:667)
 at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:649)
 at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:513)
 at com.amazonaws.services.kinesis.AmazonKinesisClient.doInvoke(AmazonKinesisClient.java:1831)
 at com.amazonaws.services.kinesis.AmazonKinesisClient.invoke(AmazonKinesisClient.java:1807)
 at com.amazonaws.services.kinesis.AmazonKinesisClient.getRecords(AmazonKinesisClient.java:912)
 at com.kafka.connect.KinesisSourceTask.poll(KinesisSourceTask.java:89)
 at org.apache.kafka.connect.runtime.WorkerSourceTask.poll(WorkerSourceTask.java:244)
 at org.apache.kafka.connect.runtime.WorkerSourceTask.execute(WorkerSourceTask.java:220)
 at org.apache.kafka.connect.runtime.WorkerTask.doRun(WorkerTask.java:175)
 at org.apache.kafka.connect.runtime.WorkerTask.run(WorkerTask.java:219)
 at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
 at java.util.concurrent.FutureTask.run(FutureTask.java:266)
 at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
 at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
 at java.lang.Thread.run(Thread.java:748)

IAM 역할은 스트림과 스트림을 암호화하는 데 사용되는 KMS 키에 대한 액세스를 허용합니다. CLI에서 역할을 맡아 거기에서 메시지를 소비하려고 시도했지만 동일한 오류 메시지가 나타납니다. An error occurred (KMSAccessDeniedException) when calling the GetRecords operation: User ARTRIOONHGFA4UYTVBSF3:crossAccountTest is not authorized to decrypt records in stream 123456123456:stream-name:1234567890

답변1

Allow스트림을 암호화하는 데 사용된 KMS 키 에 위임된 역할이 키에 액세스할 수 있도록 하는 명시적인 권한이 없다는 사실을 발견했습니다 .

다음을 포함하도록 주요 정책이 업데이트되었습니다.

{
            "Sid": "Allow use of the NDH Role Assuming Accessing the Kinesis Data Stream",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam:: 123456123456:role/assumed-role"
            },
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": [
                "arn:aws:kinesis:ap-southeast-2: 123456123456:stream/stream-name"
            ]
}

관련 정보