The  AWS Key Management Service plugin supports the following types of credentials.

Once set, run the following code in the AWS CLI to test the permissions.

# Test list keys permission
aws kms list-keys --region us-east-1
 
# Test describe key permission
aws kms describe-key --key-id "key-id-or-arn" --region us-east-1
 
# Test list aliases permission
aws kms list-aliases --region us-east-1
 
# Test get public key permission (for asymmetric keys only)
aws kms get-public-key --key-id "key-id-or-arn" --region us-east-1

Creating permanent IAM user credentials

The IAM user or role must have the following ACM Permissions

Identiifer

Description

kms:ListKeys 

Required to discover all keys in the specified region. Without this permission, the plugin cannot enumerate keys, and the scan will fail immediately.

kms:DescribeKey 

Required to retrieve detailed metadata for each key, including key spec, key usage, key state, creation date, and origin. Without this permission, the plugin can list keys but cannot retrieve their details.

kms:ListAliases 

Required to retrieve friendly alias names for keys. Without this permission, keys will be identified only by their key ID, not their alias names.

kms:GetPublicKey

Required to retrieve the public key data for asymmetric keys. Without this permission, the plugin can discover asymmetric keys but cannot extract their public key PEM data. This permission is not needed for symmetric or HMAC keys.

Follow the steps below to create a credential with these permissions.

To create permanent IAM user credentials

  1. Log in to the AWS IAM Console at https://console.aws.amazon.com/iam/
  2. Navigate to Users  Add user
  3. Enter a username - for example, "kms-discovery-plugin".
  4. Select Programmatic access as the access type
  5. Click Next: Permissions
  6. Attach the required permissions policy. For example: 
    {
    "Version": "2012-10-17",
    "Statement": [
    {
    "Effect": "Allow",
    "Action": [
    "kms:ListKeys",
    "kms:DescribeKey",
    "kms:ListAliases",
    "kms:GetPublicKey"
    ],
    "Resource": "*"
    }
    ]
    }
  7. Complete the wizard and click Create user
  8. Save the Access Key ID and Secret Access Key displayed on the final screen. 

    You won't be able to retrieve the secret key again.

  9. Use these credentials in the plugin configuration and leave sessionToken empty.

Creating temporary credentials

For Temporary Credentials (STS), you may need the following permissions.

Identiifer

Allowed actions

sts:GetSessionToken

Required only when using temporary credentials to generate or validate session tokens.

Follow the steps below to create a credential with these permissions.

To create temporary credentials

  1. Ensure you have an IAM role configured with the required permissions.
  2. Use AWS CLI or SDK to assume the role: 
    aws sts assume-role \
    --role-arn arn:aws:iam::123456789012:role/ACMReadRole \
    --role-session-name acm-plugin-session
  3.  Extract the following fields from the response: 
    • AccessKeyId 
    • SecretAccessKey
    • SessionToken 
  4. Use all three values in the plugin configuration. 

    Temporary credentials typically expire within 1-12 hours and must be refreshed.