fix(mpc-party): split KMS permissions for GetPublicKey action

maxnovawind · maxnovawind · commit bad56bd17267 · 2025-09-22T18:22:06.000+02:00
Signed-off-by: Ghislain Cheng &lt;ghislain.cheng@zama.ai&gt;
diff --git a/modules/mpc-party/main.tf b/modules/mpc-party/main.tf
@@ -262,6 +262,16 @@ resource "aws_kms_key" "mpc_party" {
   policy = jsonencode({
     Version = "2012-10-17"
     Statement = [
+      {
+        Effect = "Allow",
+        Principal = {
+          AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${module.iam_assumable_role_mpc_party.iam_role_name}"
+        },
+        Action = [
+          "kms:GetPublicKey",
+        ],
+        Resource = "*",
+      },
       {
         Effect = "Allow",
         Principal = {
@@ -270,7 +280,6 @@ resource "aws_kms_key" "mpc_party" {
         Action = [
           "kms:Decrypt",
           "kms:GenerateDataKey",
-          "kms:GetPublicKey"
         ],
         Resource = "*",
         Condition = {
@@ -343,7 +352,6 @@ resource "aws_kms_key" "mpc_party_backup" {
         Action = [
           "kms:Decrypt",
           "kms:GenerateDataKey",
-          "kms:GetPublicKey"
         ],
         Resource = "*",
         Condition = {
