Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Encrypt throws incorrect error when a CMK within KMSMasterKeyProvider is disabled #142

Open
paavan98pm opened this issue Feb 20, 2019 · 1 comment
Open

Encrypt throws incorrect error when a CMK within KMSMasterKeyProvider is disabled #142

paavan98pm opened this issue Feb 20, 2019 · 1 comment
Labels
good first issue

Comments

@paavan98pm
Copy link

If a CMK is disabled/deleted within KMSMasterKeyProvider CMKs, the encrypt call throws a couple of errors (below).

botocore.errorfactory.DisabledException: An error occurred (DisabledException) when calling the Encrypt operation: arn:aws:kms:eu-west-2:xxxxxxx

aws_encryption_sdk.exceptions.EncryptKeyError: Master Key arn:aws:kms:eu-west-2

import aws_encryption_sdk

kms_key_provider = aws_encryption_sdk.KMSMasterKeyProvider(key_ids=[
    'arn:aws:kms:us-east-1:2222222222222:key/22222222-2222-2222-2222-222222222222',
    'arn:aws:kms:us-east-1:3333333333333:key/33333333-3333-3333-3333-333333333333'
])
my_plaintext = b'This is some super secret data!  Yup, sure is!'

my_ciphertext, encryptor_header = aws_encryption_sdk.encrypt(
    source=my_plaintext,
    key_provider=kms_key_provider,
    encryption_context={
        'not really': 'a secret',
        'but adds': 'some authentication'
    }
)

decrypted_plaintext, decryptor_header = aws_encryption_sdk.decrypt(
    source=my_ciphertext,
    key_provider=kms_key_provider
)

assert my_plaintext == decrypted_plaintext
assert encryptor_header.encryption_context == decryptor_header.encryption_context
@mattsb42-aws
Copy link
Member

The general pattern here is correct. The behavior of KMSMasterKeyProvider on encrypt is that all master keys must succeed or the entire process will fail.

That said, this should be being swallowed in either a GenerateKeyError or EncryptKeyError to simply say that the master key failed the requested operation.

@mattsb42-aws mattsb42-aws changed the title Encrypt throws error when a CMK within KMSMasterKeyProvider is disabled Encrypt throws incorrect error when a CMK within KMSMasterKeyProvider is disabled Feb 20, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
good first issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mattsb42-aws @paavan98pm