When creating the Grant Token Faye used Dave’s user, I was expecting to have to do it from a user that has permissions to the KMS Key itself?
Faye didn’t create the grant using Dave’s user.
In the command used:
aws kms create-grant --key-id --grantee-principal --operations "Encrypt"
Faye didn’t append "–profile dave" (as was done on the previous encrypt command) and hence the command was run with her default AWS profile. That profile must have had the correct permissions since the create grant command succeeded.
Hope this helps 🙂