Petr Javorik
Commands in resources don’t work with cloud_user permissions.
Starting lab with
Create a new key and make a note of the region you are working in
aws kms create-key
An error occurred (AccessDeniedException) when calling the CreateKey operation: User: arn:aws:iam::776627371336:user/cloud_user is not authorized to perform: kms:CreateKey on resource: * with an explicit deny in a service control policy
Even if we create a symmetric key alternatively in KMS console. It can’t be used with aws cli.
aws kms encrypt –cli-binary-format raw-in-base64-out –plaintext "hello" –key-id arn:aws:kms:us-east-1:776627371336:key/95ba350c-6f16-4dae-a6eb-9b56819b92e8
An error occurred (NotFoundException) when calling the Encrypt operation: Invalid arn us-east-1
I am having the same issue, aws kms create-key An error occurred (AccessDeniedException) when calling the CreateKey operation: User: arn:aws:iam::747532475815:user/cloud_user is not authorized to perform: kms:CreateKey on resource: * with an explicit deny in a service control policy
cloud_user principal has privileges to execute "kms creake-key" on us-east-1.
I run into this issue and ran into similar ones from the other chapter where cloud_user does not have sufficient permission for me to complete the lab. I raised this as an issue with the Service team but I received absolutely no answer.