kms decryption issue with KMS key not on the same region as parameter store.

Question

kms decryption issue with KMS key not on the same region as parameter store.

Opened this issue 4 years ago · 1 comments

gwsu2008 commented 4 years ago

Hi,

Getting an error when the password is encrypted using custom KMS key on a different region then the parameter store write region.

Usage: aws-ssm-commander write [OPTIONS] SSM_PREFIX FILE

Error: Invalid value: could not decode !kms value: An error occurred (AccessDeniedException) when calling the Decrypt operation: The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access.

Steps to reproduce:

create custom KMS key on us-east-1 and use it to encrypt a password for parameter store
use this aws-ssm-commander write on a us-west-2 parameter store.

Maybe adding a new parameter --kms-region?

Workaround: Create custom KMS key on the same region.

Thanks

--Guang

Answer 1 · 2020-06-09T19:22:35.000Z

Good call. Ya, that's an interesting one. I think your flag for a specific KMS region is a good one. Will think on that.