Skip to content

Vault📜

Vault needs this kms policy applied to the workers in order to unseal with AWS KMS

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:DescribeKey"
            ],
            "Resource": [
                "<kms-arn>"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "kms:GenerateRandom"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Allow"
        }
    ]
}