DynamoDB table: Customer Managed encryption throws KMS key access denied #18616
Description
What is the problem?
Whenever I create a new Table resource in my stack it throws a KMS access denied/Not found exception upon deployment of the CloudFormation stack. The table that I am creating has the following properties:
new Table(this, 'TableRandomId', {
tableName: 'TemporaryName123',
partitionKey: { name: 'employeeName', type: AttributeType.STRING },
encryption: TableEncryption.CUSTOMER_MANAGED,
billingMode: BillingMode.PAY_PER_REQUEST,
pointInTimeRecovery: true,
removalPolicy: RemovalPolicy.RETAIN,
timeToLiveAttribute: 'expires_at',
});Whenever this resource is on the step of being created it throws following error:
KMS key access denied error: com.amazonaws.services.kms.model.AWSKMSException: The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access. (Service: AWSKMS; Status Code: 400; Error Code: AccessDeniedException; Request ID: *****; Proxy: null) (Service: AmazonDynamoDBv2; Status Code: 400; Error Code: AccessDeniedException; Request ID: ****; Proxy: null)
The only change in my previously successful deploying stack is addition of a new table, that's it!
Reproduction Steps
Create a table with CustomerManaged encryption.
What did you expect to happen?
A new table being created without any issues. Or at-least a more descriptive error message :)
What actually happened?
KMS access denied or not found, failing the table creation.
CDK CLI Version
1.109.0 (build c647e38)
Framework Version
No response
Node.js Version
14.x
OS
macOS BigSur 11.6.2
Language
Typescript
Language Version
4.3.2
Other information
No response