Chamber using wrong KMS Key
Closed this issue · 1 comments
I'm using chamber v2.10.12 with the default Parameter Store backend.
When I run chamber locally or in AWS CodeBuild I get the following error:
Error: Failed to write secret: InvalidKeyId: arn:aws:kms:us-east-1:234148435633:key/KEYIDHERE is pending deletion. (Service: AWSKMS; Status Code: 400; Error Code: KMSInvalidStateException; Request ID: a45f1c26-e158-43b1-88e7-576d40fd5c77; Proxy: null)
I can't figure out why chamber is even trying to use that key. The key in that error is pending deletion and does NOT have any alias set. I have a new key that I made this morning that does have the alias/parameter_store_key
alias set. I've tried setting the CHAMBER_KMS_KEY_ALIAS
env var but that doesn't seem to change anything, I still get the same error message with the wrong key id in it.
Turns out the problem was that I had some leftover Parameter Store secrets that were encrypted with the old, deleted key. Deleting them and re-importing with Chamber and my new KMS key solved the issue.