Given the follow policy document:
data "aws_iam_policy_document" "flow_log_encryption_key_policy" {
for_each = local.cloudwatch_flow_log_for_each
statement {
sid = "Enable IAM User Permissions"
principals {
type = "AWS"
identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
}
effect = "Allow"
actions = ["kms:*"]
resources = [local.kms_key_arn_prefix]
}
}
I’m receiving the following error when creating a key that references the policy:
Error: creating KMS Key: MalformedPolicyDocumentException: The new key policy will not allow you to update the key policy in the future
If I adjust the identifiers argument to:
identifiers = [
"arn:aws:iam::${data.aws_caller_identity.current.account_id}:root",
"arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/*"
]
I receive an invalid principal error:
Error: creating KMS Key: MalformedPolicyDocumentException: Policy contains a statement with one or more invalid principals.
Any thoughts on what I’m doing wrong?