Невозможно загрузить учетные данные из системных настроек. AWS_ACCESS_KEY_ID
Я новичок в AWS, и я разработал функцию Lambda для шифрования и дешифрования с помощью KmsClient.
Вот как я создаю KmsClient с помощью aws reagion,
final KmsClient kmsClient = KmsClient.builder().region(awsRegion).build();
Я использую Envelope Encryption для шифрования, поэтому я использую GenerateDataKeyRequest для генерации и ключа для простого текста,
GenerateDataKeyRequest generateDataKeyRequest = GenerateDataKeyRequest.builder().keyId(arnKey).encryptionContext(encryptionContext).
keySpec(DataKeySpec.AES_256).build();
GenerateDataKeyResponse generateDataKeyResponse = kmsClient.generateDataKey(generateDataKeyRequest);
в строке выше я получаю исключение ниже:
software.amazon.awssdk.core.exception.SdkClientException: Unable to load credentials from system settings. Access key must be specified either via environment variable (AWS_ACCESS_KEY_ID) or system property (aws.accessKeyId).
Я попытался решить эту проблему, установив переменную среды, но все равно это не сработало.
Моя ключевая политика kms выглядит следующим образом:
{
"Id": "key-consolepolicy-3",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::xxxxxxxxxxxxxx:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantListBasedDecryptARN-role-yq6d97v7",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantListBasedEncryptARN-role-y6nnbdp3",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/EnryptLambdaTest-role-1bz9t33s",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantListBasedEncryptDecryptARN13-role-fflntszk",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantBasedDecrypt-role-w176vn3b",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/lambda_for_apigateway-role-rm37oxr6",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/DecryptLmabdaTest-role-zmggdsbr",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/suchi13role"
]
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantListBasedEncryptARN-role-y6nnbdp3",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantBasedEncryptDecryptARNEnvironmentVariable-role-2pwqzde3",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantListBasedEncryptDecryptARN-role-4qmx465k",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/EnryptLambdaTest-role-1bz9t33s",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantListBasedEncryptDecryptARN13-role-fflntszk",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantBasedDecrypt-role-w176vn3b",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/lambda_for_apigateway-role-rm37oxr6",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantListBasedEncryptDecryptARN-role-5p55uuig",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/DecryptLmabdaTest-role-zmggdsbr",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/suchi13role",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantListBasedEncryptARNb1808271-role-dh6l7e9p",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/EncryptDecrptFunction-role-0ouhuwpj",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantListBasedEncryptDecryptARN-role-oje1caln",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantBaseEncryptDecryptARN-role-ageva6cf",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantListBasedDecryptARN-role-yq6d97v7",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/EnvelopEncryptDecryptTenantBased-role-js8d5hln",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantListBasedEncryptDecryptARN-role-eowajg5x",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/EnvelopeBasedEncrypt-role-hgv79ytd",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantBasedEnvelopEncryptDecrypt-role-n4nn6tdj",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/EnvelopeBasedEncrypt-role-7jewd19s"
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantListBasedEncryptARN-role-y6nnbdp3",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantBasedEncryptDecryptARNEnvironmentVariable-role-2pwqzde3",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantListBasedEncryptDecryptARN-role-4qmx465k",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/EnryptLambdaTest-role-1bz9t33s",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantListBasedEncryptDecryptARN13-role-fflntszk",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantBasedDecrypt-role-w176vn3b",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/lambda_for_apigateway-role-rm37oxr6",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantListBasedEncryptDecryptARN-role-5p55uuig",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/DecryptLmabdaTest-role-zmggdsbr",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/suchi13role",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantListBasedEncryptARNb1808271-role-dh6l7e9p",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/EncryptDecrptFunction-role-0ouhuwpj",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantListBasedEncryptDecryptARN-role-oje1caln",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantBaseEncryptDecryptARN-role-ageva6cf",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantListBasedDecryptARN-role-yq6d97v7",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/EnvelopEncryptDecryptTenantBased-role-js8d5hln",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantListBasedEncryptDecryptARN-role-eowajg5x",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/EnvelopeBasedEncrypt-role-hgv79ytd",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantBasedEnvelopEncryptDecrypt-role-n4nn6tdj",
"arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/EnvelopeBasedEncrypt-role-7jewd19s"
]
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
]
}
Любая помощь приветствуется:
Заранее спасибо, Прадип
1 ответ
Вместо использования ключей IAM, поскольку вы используете функцию Lambda, вам следует использовать роль IAM функции Lambda.
Убедитесь, что роль Lambda имеет правильные разрешения IAM, включая разрешение KMS для GenerateDataKey, DescribeKey а также Decrypt. Рекомендуемая политика Amazon приведена ниже.
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"kms:DescribeKey",
"kms:GenerateDataKey",
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:*:111122223333:key/*"
]
}
}
Наконец, если у вас возникнут какие-либо проблемы с этими разрешениями, убедитесь, что предоставленные ключи KMS разрешают доступ к роли IAM в ее ключевой политике.