aws_kms_grant doesn't accept service principals in grantee_principal fiend

[arcones]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

0.12.28

Affected Resource(s)

• aws_kms_grant

Terraform Configuration Files

resource aws_kms_grant grant_input_sns {
   name              = "AllowCMKManagementToInputSNS"
   key_id            = aws_kms_key.cmk.key_id
   grantee_principal = "sns.amazonaws.com"
   operations        = ["Encrypt", "Decrypt"]
 }

Debug Output

https://gist.github.com/arcones/7bc62c94ac8f66a0714683f549aa9939

Expected Behavior

Service principals are accepted grantees in KMS grants, as per AWS docs. The grant should have been created.

Actual Behavior

It says:
Error: "grantee_principal" doesn't look like a valid ARN ("^arn:[\\w-]+:([a-zA-Z0-9\\-])+:([a-z]{2}-(gov-)?[a-z]+-\\d{1})?:(\\d{12})?:(.*)$"): "sns.amazonaws.com"

Steps to Reproduce

1. Create a KMS key
2. Try to add a KMS grant like the above with any service principal instead of regular ARN with terraform apply command

[davidkarlsen]

This is pretty much bread&butter. Any news to shed on it?

[chammock]

Using service principals with grants is invalid per AWS's docs.
https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grantee-principal

Grantee principal
The identity that gets the permissions specified in the grant. A grant must have at least one grantee principal. The grantee principal can be any AWS principal, including an AWS account (root), an IAM user, an IAM role, a federated role or user, or an assumed role user. The grantee principal can be in the same account as the CMK or a different account. However, the grantee principal cannot be a service principal, an IAM group, or an AWS organization.

[MrHash]

The create-grant API supports creation of grants to service principals so it suggests that the documentation is out of date. For example this is a valid call.

aws kms create-grant --key-id mrk-xxxxxxxxx49ba87d419f6279429ff --grantee-principal "dynamodb.us-west-1.amazonaws.com" --retiring-principal "dynamodb.us-west-1.amazonaws.com" --operations Decrypt Encrypt GenerateDataKey ReEncryptFrom ReEncryptTo RetireGrant DescribeKey --constraints EncryptionContextSubset="{aws:dynamodb:subscriberId=123456789012,aws:dynamodb:tableName=my-table}" --name GrantTest

aws_kms_grant should be updated to support this functionality instead of requiring ARNs for grantee and retiring principals. thanks

[mad-it]

Facing same issue with trying to setup Airflow (MWAA) using Customer Managed Keys. There are some grants that need to be created with airflow.{region}.amazonaws.com but its not supported by the provider.