re: AWS KMS use case with Serverless Application Model (SAM): An end to end solution VIEW POST

re: Nice work. The lambda doesn't seem to be using keyUser's credentials though? Does its service role have access to the key as well?

Key access is given in lamdba policy.


The policy only grants $keyUser access to the key, not the lambda itself. The lambda code still has to authenticate as $keyUser at some point. Where is that done?

With that Policy, an inline policy for Lamdba is created and assigned to the execution role to have access to key. Lamdba doesn't use KeyUser.

Ok, that's what I thought. You don't really need the $keyUser statement. For using the key, it would probably be more portable to grant access to a role instead of a user anyway.

Code of Conduct Report abuse