Cloud Posse
Best practice for granting KMS decrypt for aurora-postgres-resources #30
-
|
Following https://github.com/cloudposse-terraform-components/aws-aurora-postgres-resources it seems that the KMS key for the password for any additional users created will be taken from the aurora-postgres module. It doesn't appear to me that this can be configured to be a different key. What is the best practice for sharing the ability to decrypt an additional user's password from the parameter store with an ECS execution role? I may be missing something, but I don't also want to grant the execution role the ability to decrypt the admin password stored under the same KMS key. |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments
-
Beta Was this translation helpful? Give feedback.
-
|
@rauthur The kms_key_arn = "arn:aws:kms:us-east-1:123456789012:key/11112222-3333-4444-5555-666677778888" |
Beta Was this translation helpful? Give feedback.
@rauthur The
v1.537.0release for the Aurora Postgres Resources component introduces thekms_key_arnvariable where you can supply your own customer-managed KMS key. You can pass the following input to the module with your managed key: