Chamber using wrong KMS Key

Question

Chamber using wrong KMS Key

Closed this issue 2 years ago · 1 comments

I'm using chamber v2.10.12 with the default Parameter Store backend.

When I run chamber locally or in AWS CodeBuild I get the following error:

Error: Failed to write secret: InvalidKeyId: arn:aws:kms:us-east-1:234148435633:key/KEYIDHERE is pending deletion. (Service: AWSKMS; Status Code: 400; Error Code: KMSInvalidStateException; Request ID: a45f1c26-e158-43b1-88e7-576d40fd5c77; Proxy: null)

I can't figure out why chamber is even trying to use that key. The key in that error is pending deletion and does NOT have any alias set. I have a new key that I made this morning that does have the alias/parameter_store_key alias set. I've tried setting the CHAMBER_KMS_KEY_ALIAS env var but that doesn't seem to change anything, I still get the same error message with the wrong key id in it.

Answer 1 · 2022-07-07T19:55:47.000Z

Turns out the problem was that I had some leftover Parameter Store secrets that were encrypted with the old, deleted key. Deleting them and re-importing with Chamber and my new KMS key solved the issue.