bertrandmartel/aws-ssm-session

Add KMS support

fdaugan opened this issue · 1 comments

fdaugan commented

When SSM is protected with KMS, the payload fails to send/receive data.

See https://github.com/aws/session-manager-plugin/blob/mainline/src/datachannel/streaming.go:

// Encrypt if encryption is enabled and payload type is Output
if dataChannel.encryptionEnabled && payloadType == message.Output {
	inputData, err = dataChannel.encryption.Encrypt(log, inputData)
	if err != nil {
		return err
	}
}
case message.KMSEncryption:
	processedAction.ActionType = action.ActionType
	err := dataChannel.ProcessKMSEncryptionHandshakeAction(log, action.ActionParameters)
	if err != nil {
		processedAction.ActionStatus = message.Failed
		processedAction.Error = fmt.Sprintf("Failed to process action %s: %s",
			message.KMSEncryption, err)
		errorList = append(errorList, err)
	} else {
		processedAction.ActionStatus = message.Success
		processedAction.ActionResult = message.KMSEncryptionResponse{
			KMSCipherTextKey: dataChannel.encryption.GetEncryptedDataKey(),
		}
		dataChannel.encryptionEnabled = true
	}
rupertbg commented

Got this working - here's everything I know #14