Hi,
So it turns out that there was another profile being used by the aws cli, that had less limited permissions then the one I was testing. When I added the specific credentials to the golang code I got the same error. So the fix was to add by kms:GeneratedDataKey and kms:Decrypt - which isn't covered in the S3FullAccess managed policy surpassingly
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": "MY_KEY_ARN"
}
]
}
Once I added this, I could read this data, so will close the issue. The reason this wasn't required in the us-east-1 region was that default encryption was disabled.
Thanks this issue can be resolved now.