Fix Terraform Error - KMS Key AccessDeniedException

The Error

When working with Terraform, you may encounter this error:

Error: AccessDeniedException: User is not authorized to perform kms:CreateGrant

This error can block your entire workflow. Let’s understand why it happens and how to fix it.

What Causes This Error

The IAM principal lacks KMS permissions needed for encrypted resources like EBS volumes, RDS, or S3.

How to Fix It

Solution 1

Add KMS permissions to the IAM role: kms:CreateGrant, kms:Decrypt, kms:GenerateDataKey.

Solution 2

Update the KMS key policy to allow the IAM principal as a key user.

Solution 3

For cross-account KMS: both the key policy AND IAM policy must grant access.

Solution 4

Use aws:kms condition keys to scope permissions to specific KMS keys.

Prevention Tips

• Always run terraform validate before terraform plan
• Use terraform fmt to keep configuration clean and readable
• Pin provider versions to avoid unexpected schema changes
• Review plan output carefully before applying

Learn More

• Terraform for Beginners Course — hands-on labs covering this topic
• Terraform By Example Book — real-world patterns and solutions
• Terraform Cheat Sheet — quick command reference

Related Articles

• All Troubleshooting Articles
• Terraform Glossary

Conclusion

This error is common but straightforward to fix. The key is understanding the root cause and applying the correct solution for your specific situation. Following the prevention tips above will help you avoid this error in future projects.