[AWS] How to let RDS decrypt a KMS-encrypted master password?

[Andreas Ka]

Hi,

This is maybe more AWS-related, but since I'm following this little tutorial from Terraform I hope somebody can help me here:

I'm reading https://www.terraform.io/docs/providers/aws/d/kms_secret.html which explains how to encrypt a password via KMS before an RDS cluster gets created.

When trying using that encrypted password with `terraform apply` I'm receiving this error:

Error creating DB Instance: InvalidParameterValue: The parameter MasterUserPassword is not a valid password. Only printable ASCII characters besides '/', '@', '"',' ' may be used.

What else is necessary to allow the RDS instance to decrypt the password? I can imagine it has something to do with roles/policies, but what is it exactly?

Best,

Andreas

[MCraig]

Your User, or IAM role, needs to have kms_decrypt allowed. I haven't tried your use case below, but I am using KMS for encrypting other values.