User not authorized to perform kms:DescribeKey

[manurawat]

Description

I have following problem mentioned in the below issue and I don't have any kms_key_owners or kms_key_administrators variables set. I am kind of locked out with no solution.

#2816

#2678

Could you please suggest what should I do to solve the issue?

@wolffberg
@bryantbiggs
@karl-dpg
@antonbabenko

Versions

• Module version [Required]:

• Terraform version: v1.7.5

• Provider version(s): 19.12

[wolffberg]

First, make sure you have everything in place in Terraform to add the correct permissions when the issue is resolved.

If you are truly locked out (like me) create a support ticket with AWS support preferably using the root account email as contact.

It took a few weeks for them to grant permissions for the KMS key to the root account as a recovery team had to be involved.

[bryantbiggs]

FYI - the identity that you used to execute the Terraform will have permission, so you most likely just need to use that identity to add your user/role to the permissions

[manurawat]

@wolffberg @bryantbiggs
Thanks for your response. I checked the state file and found that my user's user_id in aws_caller_identity differs from my current ID, which explains why I no longer have access. I'll check with our AWS Administrators to see if they still have access, though I doubt it. In the meantime, I'm exploring possible solutions—would contacting AWS support be the only option?

[wolffberg]

In my case I believe it was but my roles were set up and propagated from the root organization account by IAM Identity Center so other cases might differ