Attaches a policy to a KMS Key.
resource "aws_kms_key" "example" {
description = "example"
}
resource "aws_kms_key_policy" "example" {
key_id = aws_kms_key.example.id
policy = jsonencode({
Id = "example"
Statement = [
{
Action = "kms:*"
Effect = "Allow"
Principal = {
AWS = "*"
}
Resource = "*"
Sid = "Enable IAM User Permissions"
},
]
Version = "2012-10-17"
})
}
This resource supports the following arguments:
key_id
- (Required) The ID of the KMS Key to attach the policy.policy
- (Required) A valid policy JSON document. Although this is a key policy, not an IAM policy, an aws_iam_policy_document
, in the form that designates a principal, can be used. For more information about building policy documents with Terraform, see the AWS IAM Policy Document Guide.bypass_policy_lockout_safety_check
- (Optional) A flag to indicate whether to bypass the key policy lockout safety check.
Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately. If this value is set, and the resource is destroyed, a warning will be shown, and the resource will be removed from state.
For more information, refer to the scenario in the Default Key Policy section in the _AWS Key Management Service Developer Guide_.This resource exports no additional attributes.
In Terraform v1.5.0 and later, use an import
block to import KMS Key Policies using the key_id
. For example:
import {
to = aws_kms_key_policy.a
id = "1234abcd-12ab-34cd-56ef-1234567890ab"
}
Using terraform import
, import KMS Key Policies using the key_id
. For example:
% terraform import aws_kms_key_policy.a 1234abcd-12ab-34cd-56ef-1234567890ab