Error encrypting with Google Cloud KMS

gorzek commented 5 years ago

I'm getting the following error when attempting to encrypt a key via Google Cloud KMS:

{"Timestamp":"2019-08-19T16:06:28.6135185+00:00","Level":"Error","MessageTemplate":"Unhandled exception while processing request","Exception":"System.FormatException: The input is not a valid Base-64 string as it contains a non-base 64 character, more than two padding characters, or an illegal character among the padding characters.\n   at System.Convert.FromBase64CharPtr(Char* inputPtr, Int32 inputLength)\n   at System.Convert.FromBase64String(String s)\n   at Google.Protobuf.ByteString.FromBase64(String bytes)\n   at Kamus.KeyManagement.GoogleCloudKeyManagment.Encrypt(String data, String serviceAccountId, Boolean createKeyIfMissing) in /app/key-managment/GoogleCloudKeyManagment.cs:line 85\n   at Kamus.Controllers.EncryptController.Encrypt(EncryptRequest body) in /app/encrypt-api/Controllers/EncryptController.cs:line 45\n   at lambda_method(Closure , Object )\n   at Microsoft.Extensions.Internal.ObjectMethodExecutorAwaitable.Awaiter.GetResult()\n   at Microsoft.AspNetCore.Mvc.Internal.ActionMethodExecutor.TaskOfActionResultExecutor.Execute(IActionResultTypeMapper mapper, ObjectMethodExecutor executor, Object controller, Object[] arguments)\n   at System.Threading.Tasks.ValueTask`1.get_Result()\n   at Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker.InvokeActionMethodAsync()\n   at Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker.InvokeNextActionFilterAsync()\n   at Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker.Rethrow(ActionExecutedContext context)\n   at Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)\n   at Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker.InvokeInnerFilterAsync()\n   at Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.InvokeNextResourceFilter()\n   at Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.Rethrow(ResourceExecutedContext context)\n   at Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)\n   at Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.InvokeFilterPipelineAsync()\n   at Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.InvokeAsync()\n   at Microsoft.AspNetCore.Builder.RouterMiddleware.Invoke(HttpContext httpContext)\n   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)\n   at Microsoft.AspNetCore.StaticFiles.StaticFileMiddleware.Invoke(HttpContext context)\n   at Swashbuckle.AspNetCore.SwaggerUI.SwaggerUIMiddleware.Invoke(HttpContext httpContext)\n   at Swashbuckle.AspNetCore.Swagger.SwaggerMiddleware.Invoke(HttpContext httpContext, ISwaggerProvider swaggerProvider)\n   at Kamus.ErrorHandlingMiddleware.Invoke(HttpContext httpContext) in /app/encrypt-api/ErrorHandlingMiddleware.cs:line 25","Properties":{"SourceContext":"Kamus.ErrorHandlingMiddleware"}}

I've installed kamus via helm chart into a Kubernetes cluster. I have set up a keyring and service account which kamus has successfully created keys with in KMS. The CLI gets me an HTTP status 500 when attempting to encrypt a single string, and the text above is pulled from the pod logs coinciding with the error.

So, I don't think connectivity to the pod is an issue, though clearly something is amiss with how the Google credentials are being used to interact with KMS. Might be a misconfiguration on my part but I've ruled out as much as I can.

I appreciate any help anyone could offer on this.