從 Amazon Kinesis 讀取訊息時出現 KMSAccessDeniedException

tag-icon tag-icon encryption java streaming amazon-web-services
從 Amazon Kinesis 讀取訊息時出現 KMSAccessDeniedException

我一直在嘗試從 Kinesis Stream 使用 Java 應用程式中的消息,該流由另一個 AWS 帳戶擁有。

當我閱讀該訊息時,會拋出以下錯誤:

com.amazonaws.services.kinesis.model.AmazonKinesisException: User ARTRIOONHGFA4UYTVBSF3:crossAccountTest is not authorized to decrypt records in stream 123456123456:stream-name:1234567890 (Service: AmazonKinesis; Status Code: 400; Error Code: KMSAccessDeniedException; Request ID: 00000000-0000-0000-0000-0000000000)
 at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1579)
 at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1249)
 at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1030)
 at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:742)
 at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:716)
 at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:699)
 at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:667)
 at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:649)
 at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:513)
 at com.amazonaws.services.kinesis.AmazonKinesisClient.doInvoke(AmazonKinesisClient.java:1831)
 at com.amazonaws.services.kinesis.AmazonKinesisClient.invoke(AmazonKinesisClient.java:1807)
 at com.amazonaws.services.kinesis.AmazonKinesisClient.getRecords(AmazonKinesisClient.java:912)
 at com.kafka.connect.KinesisSourceTask.poll(KinesisSourceTask.java:89)
 at org.apache.kafka.connect.runtime.WorkerSourceTask.poll(WorkerSourceTask.java:244)
 at org.apache.kafka.connect.runtime.WorkerSourceTask.execute(WorkerSourceTask.java:220)
 at org.apache.kafka.connect.runtime.WorkerTask.doRun(WorkerTask.java:175)
 at org.apache.kafka.connect.runtime.WorkerTask.run(WorkerTask.java:219)
 at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
 at java.util.concurrent.FutureTask.run(FutureTask.java:266)
 at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
 at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
 at java.lang.Thread.run(Thread.java:748)

IAM 角色允許存取串流以及用於加密串流的 KMS 金鑰。我嘗試在 CLI 上承擔角色並使用其中的訊息,但出現相同的錯誤訊息。 An error occurred (KMSAccessDeniedException) when calling the GetRecords operation: User ARTRIOONHGFA4UYTVBSF3:crossAccountTest is not authorized to decrypt records in stream 123456123456:stream-name:1234567890

答案1

我發現用於加密流的 KMS 金鑰沒有明確的Allow權限,無法讓假定的角色存取該金鑰。

更新了關鍵政策,包括

{
            "Sid": "Allow use of the NDH Role Assuming Accessing the Kinesis Data Stream",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam:: 123456123456:role/assumed-role"
            },
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": [
                "arn:aws:kinesis:ap-southeast-2: 123456123456:stream/stream-name"
            ]
}

相關內容