Add KMS permissions to BedrockKB S3VectorManagerRole for customer-managed encryption keys

Author: Bob Strahan

options/bedrockkb/template.yaml

@@ -422,6 +422,21 @@ Resources:
                 Action:
                   - iam:PassRole
                 Resource: !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/*"
+        - !If
+          - IsCustomerManagedKey
+          - PolicyName: KMSAccess
+            PolicyDocument:
+              Version: '2012-10-17'
+              Statement:
+                - Effect: Allow
+                  Action:
+                    - kms:Encrypt
+                    - kms:Decrypt
+                    - kms:ReEncrypt*
+                    - kms:GenerateDataKey*
+                    - kms:DescribeKey
+                  Resource: !Ref pCustomerManagedEncryptionKeyArn
+          - !Ref "AWS::NoValue"
 
   S3VectorManagerFunction:
     Type: AWS::Serverless::Function