AWS Firehose Role

AWS

Firehose assume role

How to resolve KMS access problem in firehose:

  1. go to kms console, find the key
  2. add role arn in the key policy as follows 
    {
      "Sid": "Allow use of the key",
      "Effect": "Allow",
      "Principal": {"AWS": [
        "arn:aws:iam::111122223333:user/ExampleUser",
        "arn:aws:iam::111122223333:role/ExampleRole",
        "arn:aws:iam::444455556666:root"
      ]},
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
      ],
      "Resource": "*"
},
  3. Make sure the following is defined in the access role: 
    - Effect: Allow
       Action:
         - kms:Decrypt
         - kms:Encrypt
         - kms:GenerateDataKey
         Resource:
           - key arn