diff --git a/changelogs/fragments/206-kms_key_info.yml b/changelogs/fragments/206-kms_key_info.yml
new file mode 100644
index 00000000000..968fa1163e6
--- /dev/null
+++ b/changelogs/fragments/206-kms_key_info.yml
@@ -0,0 +1,2 @@
+bugfixes:
+- kms_key_info - handle access denied errors more liberally (https://github.com/ansible-collections/community.aws/issues/206).
diff --git a/plugins/modules/aws_kms_info.py b/plugins/modules/aws_kms_info.py
index c67e58d27ec..b693f16d910 100644
--- a/plugins/modules/aws_kms_info.py
+++ b/plugins/modules/aws_kms_info.py
@@ -432,13 +432,19 @@ def get_key_details(connection, module, key_id, tokens=None):
         key_id = result['Arn']
     except is_boto3_error_code('NotFoundException'):
         return None
+    except is_boto3_error_code('AccessDeniedException'):  # pylint: disable=duplicate-except
+        module.warn('Permission denied fetching key metadata ({0})'.format(key_id))
+        return None
     except (botocore.exceptions.ClientError, botocore.exceptions.BotoCoreError) as e:  # pylint: disable=duplicate-except
         module.fail_json_aws(e, msg="Failed to obtain key metadata")
     result['KeyArn'] = result.pop('Arn')
 
     try:
         aliases = get_kms_aliases_lookup(connection)
-    except (botocore.exceptions.ClientError, botocore.exceptions.BotoCoreError) as e:
+    except is_boto3_error_code('AccessDeniedException'):
+        module.warn('Permission denied fetching key aliases')
+        aliases = {}
+    except (botocore.exceptions.ClientError, botocore.exceptions.BotoCoreError) as e:  # pylint: disable=duplicate-except
         module.fail_json_aws(e, msg="Failed to obtain aliases")
     # We can only get aliases for our own account, so we don't need the full ARN
     result['aliases'] = aliases.get(result['KeyId'], [])
@@ -449,8 +455,12 @@ def get_key_details(connection, module, key_id, tokens=None):
 
     try:
         result['grants'] = get_kms_grants_with_backoff(connection, key_id, tokens=tokens)['Grants']
-    except (botocore.exceptions.ClientError, botocore.exceptions.BotoCoreError) as e:
+    except is_boto3_error_code('AccessDeniedException'):
+        module.warn('Permission denied fetching key grants ({0})'.format(key_id))
+        result['grants'] = []
+    except (botocore.exceptions.ClientError, botocore.exceptions.BotoCoreError) as e:  # pylint: disable=duplicate-except
         module.fail_json_aws(e, msg="Failed to obtain key grants")
+
     tags = get_kms_tags(connection, module, key_id)
 
     result = camel_dict_to_snake_dict(result)
diff --git a/tests/integration/targets/aws_kms/roles/aws_kms/tasks/test_grants.yml b/tests/integration/targets/aws_kms/roles/aws_kms/tasks/test_grants.yml
index d86309e41d9..cb6fd22d040 100644
--- a/tests/integration/targets/aws_kms/roles/aws_kms/tasks/test_grants.yml
+++ b/tests/integration/targets/aws_kms/roles/aws_kms/tasks/test_grants.yml
@@ -82,6 +82,10 @@
         that:
           - key.changed
 
+    # Roles can take a little while to get ready, pause briefly to give it chance
+    - wait_for:
+        timeout: 20
+
     - name: Add grant
       aws_kms:
         alias: '{{ kms_key_alias }}'