Troubleshoot customer managed keys in Amazon IAM Identity Center - Amazon IAM Identity Center
Access Denied: KMS Decrypt Permission IssueAmazon managed application login failures with a customer-managed KMS key enabled in IAM Identity CenterAmazon managed application installation and/or user assignment failures with a customer managed KMS key enabled in IAM Identity CenterKMS Permissions Issue: Configuring Customer Managed Key with Amazon IAM Identity Center
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Troubleshoot customer managed keys in Amazon IAM Identity Center

This topic describes common customer managed key related errors you might encounter when using Amazon IAM Identity Center and provides troubleshooting steps to resolve them.

Access Denied: KMS Decrypt Permission Issue

Error: "User xxxxxxx is not authorized to perform: kms:Decrypt on the resource associated with this ciphertext because no identity-based policy allows the kms:Decrypt action"

The user or IAM principal lacks the required kms:Decrypt permission in either their IAM policy or KMS key policy.

Troubleshooting with Amazon CloudTrail:

  1. Look for kms.amazonaws.com events in CloudTrail

  2. Search for event name Decrypt

  3. Review the errorCode and errorMessage fields

  4. Check userIdentity to confirm which principal attempted the operation

To resolve this issue, grant the user or IAM principal kms:Decrypt access permissions in their IAM policy and KMS key policy. For more information, see Implementing customer managed KMS keys in Amazon IAM Identity Center.

Amazon managed application login failures with a customer-managed KMS key enabled in IAM Identity Center

If no Identity Center users can log into Amazon managed applications and you have a customer-managed KMS key enabled in your IAM Identity Center instance, verify that the KMS key policy grants the Amazon managed applications permissions to use the customer managed KMS key. For more information, see Baseline KMS key and IAM policy statements.

Amazon managed application installation and/or user assignment failures with a customer managed KMS key enabled in IAM Identity Center

Error: "User xxxxxxx is not authorized to perform: kms:Decrypt on the resource associated with this ciphertext because no identity-based policy allows the kms:Decrypt action"

The user or IAM principal lacks the required kms:Decrypt permission in either their IAM policy or KMS key policy.

Troubleshooting with CloudTrail:

  1. Search for event name Decrypt

  2. Review the errorCode and errorMessage fields

  3. Check userIdentity to confirm which principal attempted the operation

To resolve this issue, grant the user or IAM principal kms:Decrypt access permissions in their IAM policy and KMS key policy. For more information, see Implementing customer managed KMS keys in Amazon IAM Identity Center.

KMS Permissions Issue: Configuring Customer Managed Key with Amazon IAM Identity Center

The user or IAM principal lacks one or more required KMS permissions (kms:Decrypt, kms:Encrypt, kms:GenerateDataKey, kms:DescribeKey) when enabling customer managed key.

Troubleshooting with CloudTrail:

  1. Search for Decrypt, Encrypt, GenerateDataKey, or DescribeKey events

  2. Review the errorCode and errorMessage fields

  3. Check userIdentity to confirm which principal attempted the operation

To resolve this issue, grant all required KMS permissions to the user or IAM principal in their identity-based policy or KMS key policy. For more information, see Implementing customer managed KMS keys in Amazon IAM Identity Center.