Set variables to use in template:
# note: these are example values
export AWS_ACCOUNT_ID=012345678901
export HEROKU_DATA_ACCOUNT_ID=098765432109
Use the key policy with the variables:
envsubst < key_policy.json
{"Id":"KMS-policy","Version":"2012-10-17","Statement":[{"Sid":"EnableIAMUserPermissions","Effect":"Allow","Principal":{"AWS":"arn:aws:iam::${AWS_ACCOUNT_ID}:root"},"Action":"kms:*","Resource":"*"},{"Sid":"Allowuseofthekey","Effect":"Allow","Principal":{"AWS":"arn:aws:iam::${HEROKU_DATA_ACCOUNT_ID}:root"},"Action":["kms:Encrypt","kms:Decrypt","kms:ReEncrypt*","kms:GenerateDataKey*","kms:DescribeKey"],"Resource":"*"},{"Sid":"Allowattachmentofpersistentresources","Effect":"Allow","Principal":{"AWS":"arn:aws:iam::${HEROKU_DATA_ACCOUNT_ID}:root"},"Action":["kms:CreateGrant","kms:ListGrants","kms:RevokeGrant"],"Resource":"*","Condition":{"Bool":{"kms:GrantIsForAWSResource":"true"}}}]} |