kms decryption issue with KMS key not on the same region as parameter store.
Opened this issue · 1 comments
gwsu2008 commented
Hi,
Getting an error when the password is encrypted using custom KMS key on a different region then the parameter store write region.
Usage: aws-ssm-commander write [OPTIONS] SSM_PREFIX FILE
Error: Invalid value: could not decode !kms value: An error occurred (AccessDeniedException) when calling the Decrypt operation: The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access.
Steps to reproduce:
- create custom KMS key on us-east-1 and use it to encrypt a password for parameter store
- use this aws-ssm-commander write on a us-west-2 parameter store.
Maybe adding a new parameter --kms-region?
Workaround: Create custom KMS key on the same region.
Thanks
--Guang
djcrabhat commented
Good call. Ya, that's an interesting one. I think your flag for a specific KMS region is a good one. Will think on that.