Skip to content

Vault💣

Vault needs this kms policy applied to the workers in order to unseal with AWS KMS

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": ["kms:Encrypt", "kms:Decrypt", "kms:DescribeKey"],
      "Resource": ["<kms-arn>"],
      "Effect": "Allow"
    },
    {
      "Action": ["kms:GenerateRandom"],
      "Resource": ["*"],
      "Effect": "Allow"
    }
  ]
}
Last update: 2022-04-14 by kevin.wilder