Restoring a snapshot created from a cluster using AWS KMS seal


We are trying to setup a new Vault Cluster using a snapshot. The original snapshot has been create from a cluster which is using AWS KMS Seal.

When i try to load the snapshot into the new cluster if got:

xxxxx is not authorized to perform: kms:Encrypt on resource: arn:aws:kms:eu-west-1:xxxxxx because no identity-based policy allows the kms:Encrypt action.

I deliberately omitted the Encrypt permission as I didn’t want to modify the key used in Prod and thought that read access was sufficient.
If I activate the KMS:Encrypt rights, I risk modifying the value and therefore affecting the production cluster that uses the key?

Any advice?

Thank you

I’ve done the procedure you’re describing successfully, used the same KMS key on a test cluster. In my case it didn’t cause any issues, and I was subsequently able to continue to unseal the prod vault. As far as I’m aware, the value of they key should not change if you were to use it on a test cluster for restoring a snapshot. Of course, proceed with caution as always.