How to assume role to read KMS keys?

jorhett · March 1, 2022, 11:33pm

FYI I have tried both of these configurations, and neither one works. Both output the exact same error messages even at trace level so it’s hard to know if the values are even being read

kms "awskms" {
  purpose    = "worker-auth"
  region     = "us-east-1"
  kms_key_id = "arn:aws:kms:us-east-1:1234567890:key/_SNIP_"
  role_arn   = "arn:aws:iam::1234567890:role/boundary-worker-staging"
  web_identity_token_file = "/etc/boundary.d/token"
}

Then I tried using the aws config that works fine for the aws cli as shown in my previous message, along with this worker config:

kms "awskms" {
  purpose    = "worker-auth"
  region     = "us-east-1"
  kms_key_id = "arn:aws:kms:us-east-1:1234567890:key/_SNIP_"
  shared_creds_filename = "/etc/boundary.d/aws_config"
  shared_creds_profile = "security"
}

Still no luck.

Topic		Replies	Views
Cross-Account KMS? Boundary	10	2136	August 19, 2021
How to assume role and not use access keys? Terraform Providers	1	562	February 15, 2022
Aws provider can't assume role but AWS CLI can AWS	4	4587	April 7, 2023
AWS IAM Assume Role - Replacing IAM Role Terraform	0	276	December 10, 2021
Aws_iam_access_key with KMS Terraform	1	489	September 28, 2020

How to assume role to read KMS keys?

Related topics