[AWS] How to let RDS decrypt a KMS-encrypted master password?

971 views
Skip to first unread message

Andreas Ka

unread,
Mar 16, 2017, 11:29:09 AM3/16/17
to Terraform
Hi,

This is maybe more AWS-related, but since I'm following this little tutorial from Terraform I hope somebody can help me here:

I'm reading https://www.terraform.io/docs/providers/aws/d/kms_secret.html which explains how to encrypt a password via KMS before an RDS cluster gets created.

When trying using that encrypted password with `terraform apply` I'm receiving this error:

Error creating DB Instance: InvalidParameterValue: The parameter MasterUserPassword is not a valid password. Only printable ASCII characters besides '/', '@', '"',' ' may be used.


What else is necessary to allow the RDS instance to decrypt the password? I can imagine it has something to do with roles/policies, but what is it exactly?


Best,
Andreas

MCraig

unread,
Apr 4, 2017, 2:44:05 PM4/4/17
to Terraform
Your User, or IAM role, needs to have kms_decrypt allowed. I haven't tried your use case below, but I am using KMS for encrypting other values.
Reply all
Reply to author
Forward
0 new messages