Troubleshoot customer managed keys in Amazon IAM Identity Center

Access Denied: KMS Decrypt Permission Issue Amazon managed application login failures with a customer managed KMS key enabled in IAM Identity Center Amazon managed application installation and/or user assignment failures with a customer managed KMS key enabled in IAM Identity Center KMS Permissions Issue: Configuring Customer Managed Key with Amazon IAM Identity Center Amazon access portal login failures with a customer managed KMS key enabled in IAM Identity Center

This topic describes common customer managed key related errors you might encounter when using Amazon IAM Identity Center and provides troubleshooting steps to resolve them.

Access Denied: KMS Decrypt Permission Issue

Error: "User xxxxxxx is not authorized to perform: kms:Decrypt on the resource associated with this ciphertext because no identity-based policy allows the kms:Decrypt action"

The user or IAM principal lacks the required kms:Decrypt permission in either their IAM policy or KMS key policy.

Troubleshooting with Amazon CloudTrail:

Look for kms.amazonaws.com events in CloudTrail
Search for event name Decrypt
Review the errorCode and errorMessage fields
Check userIdentity to confirm which principal attempted the operation

To resolve this issue, grant the user or IAM principal kms:Decrypt access permissions in their IAM policy and KMS key policy. For more information, see Implementing customer managed KMS keys in Amazon IAM Identity Center.

Amazon managed application login failures with a customer managed KMS key enabled in IAM Identity Center

If no Identity Center users can log into Amazon managed applications and you have a customer managed KMS key enabled in your IAM Identity Center instance, verify that the KMS key policy grants the Amazon managed applications permissions to use the customer managed KMS key. For more information, see Baseline KMS key and IAM policy statements.

Amazon managed application installation and/or user assignment failures with a customer managed KMS key enabled in IAM Identity Center

Error: "User xxxxxxx is not authorized to perform: kms:Decrypt on the resource associated with this ciphertext because no identity-based policy allows the kms:Decrypt action"

The user or IAM principal lacks the required kms:Decrypt permission in either their IAM policy or KMS key policy.

Troubleshooting with CloudTrail:

Search for event name Decrypt
Review the errorCode and errorMessage fields
Check userIdentity to confirm which principal attempted the operation

KMS Permissions Issue: Configuring Customer Managed Key with Amazon IAM Identity Center

The user or IAM principal lacks one or more required KMS permissions (kms:Decrypt, kms:Encrypt, kms:GenerateDataKey, kms:DescribeKey) when enabling customer managed key.

Troubleshooting with CloudTrail:

Search for Decrypt, Encrypt, GenerateDataKey, or DescribeKey events
Review the errorCode and errorMessage fields
Check userIdentity to confirm which principal attempted the operation

To resolve this issue, grant all required KMS permissions to the user or IAM principal in their identity-based policy or KMS key policy. For more information, see Implementing customer managed KMS keys in Amazon IAM Identity Center.

Amazon access portal login failures with a customer managed KMS key enabled in IAM Identity Center

Error: "ERROR Code: 0001 - IdentityCenter service access is blocked. Reach out to your IdentityCenter admin for further steps."

If users cannot log in to the Amazon access portal and you have a customer managed KMS key enabled in your IAM Identity Center instance, verify that the KMS key policy grants the necessary permissions to Identity Center and Identity Store. For more information, see Baseline KMS key and IAM policy statements.

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Troubleshooting

Document history