Skip to content

StrictAwsKmsMasterKeyProvider fails with CMK Alias ARN #310

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
ragona opened this issue Dec 4, 2020 · 3 comments
Closed

StrictAwsKmsMasterKeyProvider fails with CMK Alias ARN #310

ragona opened this issue Dec 4, 2020 · 3 comments

Comments

@ragona
Copy link
Contributor

ragona commented Dec 4, 2020

I'm having some trouble that I've narrowed down to my usage of StrictAwsKmsMasterKeyProvider. When you provide a CMK alias to a StrictAwsKmsMasterKeyProvider then the encrypt works fine, but if you immediately turn around to decrypt the resulting blob, it will fail.

It appears that on encrypt the ESDK will use the key alias, but on decrypt it inspects the blob and discovers the full ARN. The provider is configured with the Alias ARN, so there is a mismatch of key ID, and it fails as intended.

If you use the strict ARN then it works fine, but this means that you can't just construct an alias, you have to describe the alias each time. The documentation here seems to suggest that a key alias should work, so my guess is that is a bug.

Any suggestions?

(p.s. Miss you, team!)
@farleyb-amazon
Copy link
Contributor

Hey Ryan, this actually is intentional -- the Strict provider does not allow decryption with aliases, for exactly the reason you've pointed out.

Using the strict ARN is our recommendation, but I understand that isn't feasible for all cases. If you want to avoid querying for key ARNs or knowing them ahead of time, you might look into the DiscoveryAwsKmsMasterKeyProvider for your decrypt path, which will allow decryption without explicitly listing key ARNs. If you do use this approach, I'd recommend using a DiscoveryFilter, which lets you limit decryption to only ciphertexts created by keys from the specified AWS accounts and partitions.

In the meantime, I see what you're saying about the documentation suggesting that aliases might work (or at least not being clear enough that they won't work). We'll get that fixed.

@acioc acioc mentioned this issue Dec 4, 2020
Closed
@acioc
Copy link

acioc commented Dec 4, 2020

Hi! We miss you too!!

Created #311 to make the documentation text clearer.

Closing this issue, but please re-open or cut us a new issue if you have any other questions.

@acioc acioc closed this as completed Dec 4, 2020
@ragona
Copy link
Contributor Author

ragona commented Dec 4, 2020
edited
Loading

Makes total sense, thank you! I'll keep using the DiscoveryAwsKmsMasterKeyProvider for decrypt (can confirm that was how I got around the decrypt error), and I'll add a DiscoveryFilter to pin it to the intended account.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ragona @acioc @farleyb-amazon