Let’s say you have a IAM role in account 12345678 and it needs kms:Decrypt access to an key in another account 987654321, you need to keep the following Policy Evaluation Diagram in mind:
Meaning that your KMS key policy must allow access for kms:Decrypt for the role, ie. something like this needs to be in the key policy:
{
"Sid": "Allow12345678",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::12345678:root"
},
"Action": "kms:Decrypt",
"Resource": "*"
}And your IAM role, must have allow the kms:Decrypt action as well, something like:
{
"Effect": "Allow",
"Action": "kms:Decrypt",
"Resource": "arn:aws:kms:eu-west-1:987654321:key/abcdef-def-def-fe-ss"
} Otherwise you will run into the error: AccessDenied (client): User: arn:aws:sts::12345678:assumed-role/xxx-role/474ce5ef81924893ad55740f8ab96872 is not authorized to perform: kms:Decrypt on the resource associated with this ciphertext because no identity-based policy allows the kms:Decrypt action
This also goes for S3 bucket permissions (and any other service of AWS that supports resource-based policies).